CVE-2026-47641: SharePoint Spoofing Vulnerability – CVSS 4.6 – Patch Guidance
CVE-2026-47641 is a spoofing vulnerability in Microsoft Office SharePoint that allows someone with valid login credentials to impersonate other users or entities through the network. The flaw stems from insufficient validation of user input, meaning malicious insiders or compromised accounts can craft specially formatted requests to bypass identity checks. While this requires an authenticated attacker, the impact—unauthorized identity assumption—is serious enough to warrant prompt attention in environments where SharePoint handles sensitive information or facilitates inter-organizational workflows.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.6 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-20
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-07-09
NVD description (verbatim)
Improper input validation in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exploits improper input validation in SharePoint (CWE-20), allowing an authenticated attacker to craft network requests that bypass spoofing defenses. The attack vector is network-based with low attack complexity, meaning no special conditions are needed beyond a valid user account and user interaction (e.g., clicking a link). The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N) indicates confidentiality and integrity impact confined to the attacker's own session or directly accessible resources, with no availability impact. The requirement for user interaction (UI:R) suggests the attack typically involves social engineering or indirect manipulation rather than silent exploitation.
Business impact
Successful exploitation could undermine SharePoint's collaborative trust model, particularly in scenarios where documents, approvals, or communications require verified identity. An attacker could impersonate colleagues to access shared resources, approve workflows, or send communications appearing to come from trusted parties. For organizations relying on SharePoint for regulated workflows—finance approvals, legal holds, healthcare collaboration—this introduces compliance risk and potential data leakage. The impact is limited by the attacker's need for valid credentials and the requirement for user interaction, but the reputational and operational consequences of identity spoofing in enterprise systems warrant remediation planning.
Affected systems
Microsoft SharePoint Server is affected. Specific version ranges have not been disclosed in this advisory. Organizations should verify which SharePoint Server versions are deployed in their environments by consulting Microsoft's official security guidance, as patch availability and remediation paths vary by release line. Both on-premises and environments with hybrid connectivity should be assessed.
Exploitability
Exploitation requires an attacker to possess valid SharePoint credentials, limiting the threat landscape to insider threats, compromised accounts, or attackers who have successfully phished credentials. The attack is not wormable and does not spread laterally without additional steps. The need for user interaction—such as a target user clicking a link or interacting with a crafted object—raises the bar for exploitation but does not eliminate the risk in phishing-prone or socially engineered scenarios. The vulnerability has not been added to the CISA KEV catalog, indicating no evidence of active exploitation in the wild at the time of this analysis.
Remediation
Organizations should prioritize patching SharePoint deployments according to Microsoft's security updates. Check the official Microsoft security advisory for affected version numbers and cumulative update guidance. Interim mitigations may include restricting SharePoint access to trusted networks, enforcing multi-factor authentication on high-privilege accounts, and educating users to verify sender identity through secondary channels before acting on requests originating from SharePoint. Audit SharePoint logs for unusual identity-related activity.
Patch guidance
Obtain the official security update from Microsoft that addresses CVE-2026-47641. Microsoft typically releases SharePoint security updates on Patch Tuesday or as out-of-band releases for critical issues. Consult the Microsoft Security Update Guide and the specific security advisory for the exact KB numbers and affected version ranges. Test patches in a non-production environment before deployment, as SharePoint updates can affect customizations and integrated solutions. Organizations on extended support or legacy versions should verify whether patches are available for their deployed release.
Detection guidance
Monitor SharePoint audit logs for anomalous identity assertions, including login events from unexpected locations or times associated with specific user accounts, and requests that spoof document ownership or approval. Review ULS (Unified Logging Service) logs on SharePoint servers for input validation errors or exceptions related to user identity processing. Network-based detection is challenging without payload signatures; focus on behavioral indicators such as a single account initiating requests on behalf of multiple other users in rapid succession. Endpoint detection should flag unusual authentication token usage if integrated with identity providers.
Why prioritize this
Although this is a MEDIUM-severity vulnerability requiring authentication and user interaction, the fundamental risk—identity spoofing in a collaboration platform—is organizationally sensitive. Prioritize remediation based on your SharePoint deployment's role in business-critical workflows and regulatory compliance requirements. If SharePoint is heavily used for approvals, records management, or cross-organizational collaboration, elevate priority. For environments with strong identity controls and limited external collaboration, it may be scheduled as a standard update cycle. The absence of active exploitation provides a window for planned patching rather than emergency response.
Risk score, explained
The CVSS 3.1 score of 4.6 (MEDIUM) reflects the authentication requirement (PR:L) and user interaction requirement (UI:R), which significantly constrain exploitation. However, the network vector (AV:N) and low attack complexity (AC:L) indicate the attack is straightforward once an attacker gains credentials. The integrity impact (I:L) and confidentiality impact (C:L) acknowledge that spoofing can lead to unauthorized data access or modification within the attacker's scope. The unchanged security scope (S:U) means the attacker cannot escalate privileges beyond their authenticated session. The score appropriately reflects a real but contained threat.
Frequently asked questions
What does 'spoofing' mean in this context?
Spoofing refers to an attacker making SharePoint think they are a different user or system. By crafting malicious input, they can perform actions as another person—such as accessing documents, approving workflows, or sending messages—while appearing to be that individual.
Do I need to worry if we enforce multi-factor authentication (MFA)?
MFA protects credential compromise to some degree, but it does not prevent spoofing by an attacker who already possesses valid credentials. However, combining MFA with this patch will significantly reduce risk by making credential theft harder.
Is this vulnerability actively being exploited?
No. The vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog, meaning there is no confirmed evidence of active exploitation in the wild. This provides time for organizations to plan and deploy patches systematically rather than respond to an active threat.
Which SharePoint versions are affected?
Microsoft Office SharePoint Server is affected, but specific version numbers are not detailed in this advisory. Consult Microsoft's official security update page and the relevant advisory for your deployment version to determine if you are impacted and which patches are available.
This analysis is based on the published CVE record and official vulnerability data available as of the modification date. Patch availability, affected version ranges, and remediation guidance should be verified against the current Microsoft Security Update Guide and official vendor advisories before implementation. Organizations should conduct their own risk assessments based on their specific SharePoint deployment, network architecture, and business context. SEC.co does not warrant the completeness or accuracy of vendor-specific patch information and recommends independent verification through official channels. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-11008MEDIUMChrome WebAppInstalls Cross-Origin Data Leak (CVSS 6.5)
- CVE-2026-11013MEDIUMChrome Network Input Validation Flaw Enables Memory Data Theft
- CVE-2026-11016MEDIUMChrome Same-Origin Policy Bypass (Medium Severity)
- CVE-2026-11022MEDIUMChrome DevTools Same-Origin Policy Bypass (Medium)
- CVE-2026-11023MEDIUMChrome Same-Origin Policy Bypass in WebAppInstalls