CVE-2026-55040: Microsoft SharePoint JWT Token Authentication Bypass (FIXED)
Admiralty grading (A–F · 1–6)
Source reliability
- A Completely reliable
- B Usually reliable
- C Fairly reliable
- D Not usually reliable
- E Unreliable
- F Cannot be judged
Information credibility
- 1 Confirmed
- 2 Probably true
- 3 Possibly true
- 4 Doubtful
- 5 Improbable
- 6 Cannot be judged
NATO Admiralty (AJP-2.1) grades confidence, independent of the risk score. Cross-source corroboration isn't tracked for non-CVE news, so single-source items are capped at a lower credibility number; a low number does not imply low quality.
Key metrics
- EPSS
- 0%
Key insight
An authentication bypass (CVE-2026-55040) was chained by Rapid7 Labs with a separate RCE vulnerability to achieve unauthenticated remote code execution; patching the bypass breaks the exploit chain.
Description
CVE-2026-55040 is a JWT token authentication bypass vulnerability in Microsoft SharePoint that allows attackers to bypass authentication. Rapid7 Labs chained this vulnerability with a separate remote code execution flaw to achieve unauthenticated RCE. Although Microsoft assigned it a medium CVSS score, successful chaining with an RCE component demonstrates significant impact. The RCE component is expected to be patched in the August 2026 cycle, while patching CVE-2026-55040 will break the exploit chain.
Risk score
- cvss base
- 0.00
- kev bonus
- 0.00
- epss bonus
- 0.00
- poc bonus
- 15.00
- raw before weight
- 15.00
- industry weight
- 1.21
- freshness factor
- 1.00
- exploitability factor
- 1.00
- days old
- 0.00
- vendor mismatch penalty
- 0.00
Path: operational
MITRE ATT&CK mapping
5 TTPsProcedure details
| Technique | Tactic | Procedure | Conf. | Source |
|---|---|---|---|---|
| T1550.001 Use Alternate Authentication Material: Application Access Token | Defense Evasion | CVE-2026-55040 exploits flaws in the JWT token validation pipeline of Microsoft SharePoint, allowing an attacker to forge or manipulate JWT tokens to bypass authentication and impersonate SharePoint users or administrators. | high | llm |
| T1078 Valid Accounts | Defense Evasion | After bypassing JWT authentication, the attacker assumes the identity of legitimate SharePoint users, including site administrator accounts, performing operations as those authenticated users. | high | llm |
| T1087.002 Account Discovery: Domain Account | Discovery | The proof-of-concept script enumerates potential SharePoint users via SID enumeration prior to leveraging the authentication bypass to identify and target the SharePoint site administrator account. | high | llm |
| T1190 Exploit Public-Facing Application | Initial Access | CVE-2026-55040 is exploited remotely by an unauthenticated attacker against a public-facing Microsoft SharePoint server to bypass authentication without any credentials. | high | llm |
| T1210 Exploitation of Remote Services | Lateral Movement | CVE-2026-55040 is chained with a separate RCE vulnerability to achieve unauthenticated remote code execution against the SharePoint server, demonstrating exploitation of remote services for code execution. | medium | llm |