CVE-2026-56164
MEDIUM KEV CISA Exploitation: ACTIVE
5.3
CVSS 3.1
Metadata
Severity & Metrics
5.3
MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C
SSVC — CISA Coordinator
CISA Known Exploited Vulnerability
Required action
Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
CISA description
Microsoft SharePoint contains a missing authentication for critical function vulnerability that allows an unauthorized attacker to elevate privileges over a network.
Affected products (3)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| Microsoft | Microsoft SharePoint Enterprise Server 2016 | x64-based Systems | 16.0.0 < 16.0.5561.1001 |
| Microsoft | Microsoft SharePoint Server 2019 | x64-based Systems | 16.0.0 < 16.0.10417.20175 |
| Microsoft | Microsoft SharePoint Server Subscription Edition | x64-based Systems | 16.0.0 < 16.0.19725.20434 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-306 | cna | CWE-306: Missing Authentication for Critical Function |
CVSS scores (1)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 5.3 | MEDIUM | 3.1 | cna | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C |
References (1)
- Microsoft SharePoint Server Elevation of Privilege Vulnerability https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56164