CVE-2026-47298: Microsoft SharePoint Server Remote Code Execution via Authorization Bypass
CVE-2026-47298 is a high-severity authorization flaw in Microsoft SharePoint Server that allows an authenticated attacker to execute arbitrary code on affected systems over the network. While the attacker must already have valid credentials, the vulnerability bypasses intended access controls, enabling privilege escalation or lateral movement within an organization. User interaction is required to trigger the exploit, which limits but does not eliminate risk in environments where phishing or social engineering are viable attack vectors.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.0 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-285
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Improper authorization in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This vulnerability stems from improper authorization controls (CWE-285) in Microsoft SharePoint Server. An attacker with valid user credentials can craft a malicious request that circumvents authorization checks and achieves remote code execution with high integrity and confidentiality impact. The attack surface is network-accessible, requires low complexity to exploit, and operates within the security context of the affected application (no sandbox escape). The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) reflects the combination of legitimate user privilege, user interaction requirement, and complete compromise of confidentiality, integrity, and availability.
Business impact
Exploitation could allow threat actors to steal sensitive documents, modify or delete business-critical content, deploy malware, establish persistence, and disrupt collaboration infrastructure. Organizations relying on SharePoint for document management, compliance archiving, or project coordination face data breach and operational continuity risks. The requirement for user interaction suggests targeted phishing or social engineering as likely precursors; however, once credentials are obtained, the vulnerability becomes a reliable post-compromise escalation path.
Affected systems
Microsoft SharePoint Server is affected. Organizations should consult Microsoft's official security advisory to identify the specific server versions and patch levels in scope. The vendor typically differentiates between on-premises SharePoint Server deployments and SharePoint Online (cloud); determine whether your infrastructure uses on-premises, hybrid, or cloud-only configurations to prioritize remediation efforts.
Exploitability
Exploitation requires an authenticated user context and some form of user interaction (e.g., clicking a malicious link or opening a crafted document). This is lower than a network-based zero-interaction attack, but still significant in environments with frequent external collaboration or where users have broad SharePoint access. The vulnerability is not currently known to be exploited in the wild (not on the CISA Known Exploited Vulnerabilities list as of publication date), but the straightforward authorization bypass and high impact make active exploitation probable within weeks of public patch availability if left unpatched.
Remediation
Apply the latest security update from Microsoft as soon as it is available and tested in your environment. Prioritize SharePoint servers that handle sensitive content or support critical business processes. Implement network segmentation to limit SharePoint access to authorized users and systems. Enforce conditional access policies and multi-factor authentication for SharePoint access to raise the barrier for credential-based attacks. Monitor audit logs for unusual file access, privilege escalation attempts, or code execution anomalies.
Patch guidance
Monitor Microsoft Security Update Guide and your organization's patch management system for CVE-2026-47298 remediation releases. Test patches in a staging environment that mirrors your production SharePoint topology, including any custom applications or integrations. Schedule patching during maintenance windows to minimize disruption. For on-premises deployments, verify compatibility with any cumulative update or service pack dependencies before broad rollout. If immediate patching is not feasible, implement compensating controls such as IP whitelisting, enhanced logging, and user behavior analytics.
Detection guidance
Enable SharePoint audit logging and monitor for failed authorization attempts, unusual privilege escalations, or code execution events within SharePoint processes. Look for PowerShell or CSOM activity from unexpected users or during off-hours. Deploy endpoint detection and response (EDR) solutions on servers hosting SharePoint to detect process anomalies, file writes to system directories, or outbound connections from SharePoint service accounts. Correlate events across identity and access logs to identify compromised user accounts followed by exploitation patterns.
Why prioritize this
This vulnerability merits urgent attention because it combines high severity (complete confidentiality, integrity, and availability compromise), network accessibility, and an authenticated but easily obtained initial foothold. Although not yet exploited in the wild, the authorization bypass mechanism is straightforward and likely to be weaponized quickly. Organizations with large or distributed SharePoint deployments should begin impact assessments and patch readiness planning immediately.
Risk score, explained
The CVSS 3.1 score of 8.0 (HIGH) reflects high impact across all three security properties (confidentiality, integrity, availability) balanced against the authentication and user interaction requirements. This is a dangerous but not critical score; it indicates that patching should be completed within weeks, not hours, but also that compensating controls and monitoring can reduce risk during the patching window.
Frequently asked questions
Does this vulnerability affect SharePoint Online?
The advisory specifies Microsoft SharePoint Server, which typically refers to on-premises deployments. SharePoint Online (cloud) may or may not be affected depending on whether it shares the same authorization code. Consult Microsoft's advisory and your cloud service status page for clarity on online service impact.
Do we need to do anything if all our users have MFA enabled?
MFA protects the initial login step but does not prevent exploitation once a user is authenticated and interacting with SharePoint. A user with valid credentials and MFA can still be socially engineered to click a malicious link or open a crafted file. Ensure MFA is deployed alongside other defenses such as conditional access, email filtering, and endpoint security.
What is the difference between this flaw and typical cross-site request forgery (CSRF)?
This is an authorization bypass (CWE-285), meaning SharePoint fails to properly validate whether a user is permitted to perform an action, rather than validating whether a request came from a legitimate source. The impact is remote code execution, not just data theft or account takeover, making it more severe than a typical CSRF.
If the attacker needs valid credentials, how is this a network threat?
Network accessibility means the attack can be launched from the internet without requiring physical or VPN access to the corporate network, provided the attacker has credentials (obtained via phishing, credential reuse, or a third party with legitimate access). This significantly increases the attack surface compared to local or VPN-only threats.
This analysis is provided for informational purposes and reflects vulnerability details as of the publication date. Patch versions, affected product lists, and remediation timelines are subject to change as vendors issue updates and guidance. Organizations should verify all technical claims against official vendor advisories and consult their security and risk teams before making remediation decisions. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and disclaims liability for decisions made based on this information. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-42902HIGHMicrosoft PowerToys Privilege Escalation Vulnerability (CVSS 7.8)
- CVE-2026-45490HIGH.NET Authorization Bypass Enables Local Privilege Escalation
- CVE-2026-45503HIGHMicrosoft Exchange Server Improper Authorization Vulnerability (CVSS 8.1)
- CVE-2026-0072HIGHAndroid XR InputMethodManagerService Privilege Escalation (CVSS 7.8)
- CVE-2026-10236HIGHSourceCodester Water Billing System Improper Authorization Vulnerability (CVSS 7.3)
- CVE-2026-11462HIGHBeikeShop Stripe Plugin Authorization Bypass (HIGH)
- CVE-2026-46484HIGH(8.1 HIGH): Headplane Path Traversal & Authorization Bypass
- CVE-2026-46656HIGHBludit Ghost Session Vulnerability – Broken Access Control Flaw