Skip to content
Auto-CTI
Back to today
NEW HIGH B3

CVE-2026-55040: Microsoft SharePoint JWT Token Authentication Bypass (FIXED)

B Rapid7 Cybersecurity Blog · · CVE-2026-55040

Admiralty grading (A–F · 1–6)

Source reliability

  • A Completely reliable
  • B Usually reliable
  • C Fairly reliable
  • D Not usually reliable
  • E Unreliable
  • F Cannot be judged

Information credibility

  • 1 Confirmed
  • 2 Probably true
  • 3 Possibly true
  • 4 Doubtful
  • 5 Improbable
  • 6 Cannot be judged

NATO Admiralty (AJP-2.1) grades confidence, independent of the risk score. Cross-source corroboration isn't tracked for non-CVE news, so single-source items are capped at a lower credibility number; a low number does not imply low quality.

Key metrics

EPSS
0%

Key insight

An authentication bypass (CVE-2026-55040) was chained by Rapid7 Labs with a separate RCE vulnerability to achieve unauthenticated remote code execution; patching the bypass breaks the exploit chain.

Description

CVE-2026-55040 is a JWT token authentication bypass vulnerability in Microsoft SharePoint that allows attackers to bypass authentication. Rapid7 Labs chained this vulnerability with a separate remote code execution flaw to achieve unauthenticated RCE. Although Microsoft assigned it a medium CVSS score, successful chaining with an RCE component demonstrates significant impact. The RCE component is expected to be patched in the August 2026 cycle, while patching CVE-2026-55040 will break the exploit chain.

Risk score

20
cvss base
0.00
kev bonus
0.00
epss bonus
0.00
poc bonus
15.00
raw before weight
15.00
industry weight
1.21
freshness factor
1.00
exploitability factor
1.00
days old
0.00
vendor mismatch penalty
0.00

Path: operational

MITRE ATT&CK mapping

5 TTPs
Recon
Resource Dev
Execution
Persistence
Priv. Escal.
Cred. Access
Collection
C2
Exfiltration
Impact
Conf.: high medium low

Procedure details

Technique Tactic Procedure Conf. Source
T1550.001
Use Alternate Authentication Material: Application Access Token
Defense Evasion CVE-2026-55040 exploits flaws in the JWT token validation pipeline of Microsoft SharePoint, allowing an attacker to forge or manipulate JWT tokens to bypass authentication and impersonate SharePoint users or administrators. high llm
T1078
Valid Accounts
Defense Evasion After bypassing JWT authentication, the attacker assumes the identity of legitimate SharePoint users, including site administrator accounts, performing operations as those authenticated users. high llm
T1087.002
Account Discovery: Domain Account
Discovery The proof-of-concept script enumerates potential SharePoint users via SID enumeration prior to leveraging the authentication bypass to identify and target the SharePoint site administrator account. high llm
T1190
Exploit Public-Facing Application
Initial Access CVE-2026-55040 is exploited remotely by an unauthenticated attacker against a public-facing Microsoft SharePoint server to bypass authentication without any credentials. high llm
T1210
Exploitation of Remote Services
Lateral Movement CVE-2026-55040 is chained with a separate RCE vulnerability to achieve unauthenticated remote code execution against the SharePoint server, demonstrating exploitation of remote services for code execution. medium llm
ESC