Jul 15, 2026·6 min read·13 visits
Missing authentication in the User Profiles assembly allows unauthenticated network attackers to elevate privileges to Farm Administrator by omitting the security digest and supplying specific routing headers.
CVE-2026-56164 is a critical vulnerability affecting Microsoft SharePoint Server. It permits unauthenticated, remote attackers to bypass identity verification controls. This flaw is classified under CWE-306: Missing Authentication for Critical Function and allows elevation of privilege up to Farm Administrator level. The vulnerability has been added to CISA's Known Exploited Vulnerabilities catalog due to active exploitation.
CVE-2026-56164 is a security flaw within the user profile and site collection endpoints of Microsoft SharePoint Server. The vulnerability resides specifically within the Microsoft.Office.Server.UserProfiles assembly, which manages directory operations and user properties across SharePoint collections. This component exposes endpoints that receive client-side requests, making it a target for privilege escalation attacks.
The flaw is categorized under CWE-306 (Missing Authentication for Critical Function). It permits unauthenticated remote attackers to execute operations that normally require administrative permissions. Because of the exposed nature of client-facing service handlers, this vulnerability can be exploited over standard network protocols without user interaction.
Upon successful exploitation, an anonymous network connection can gain Site Collection Administrator or Farm Administrator authorization. This enables control over SharePoint site contents, configuration databases, and connected services. Immediate remediation is necessary to prevent unauthorized structural modifications and administrative compromise.
The root cause of CVE-2026-56164 lies in how the Microsoft.Office.Server.UserProfiles handler processes incoming SOAP requests directed at /_vti_bin/client.svc. Under standard operations, SharePoint implements a request-validation pipeline that checks for security identifiers and anti-forgery tokens. This process relies on the presence and verification of the X-RequestDigest HTTP header to assert authentication context and protect against unauthorized operations.
When a request is submitted to the client service handler, the system is designed to initialize the security context within the SPContext object. However, a validation bypass exists when specific HTTP routing headers are included while the X-RequestDigest header is deliberately omitted. Instead of rejecting the unauthenticated request, the internal application logic evaluates the routing parameters and falls back to a highly privileged default state.
Because the backend execution pathway fails to assert identity constraints under this conditional logic, the request bypasses the standard authentication gate. The system then processes the inbound SOAP actions with system-level credentials rather than the caller's actual security context. This allows external, anonymous entities to execute arbitrary configurations or retrieve restricted site resources.
An analysis of the underlying .NET assemblies reveals the logical failure within the request handler before the July 2026 security patch. The vulnerable code pathway determines security initialization using a conditional check that can be bypassed using manipulated HTTP request headers.
// Vulnerable C# implementation in Microsoft.Office.Server.UserProfiles
public void ProcessRequest(HttpContext context) {
string digest = context.Request.Headers["X-RequestDigest"];
// VULNERABILITY: If the digest is missing, the handler incorrectly inspects secondary routing headers.
// If special routing parameters are satisfied, the system bypasses security verification.
if (string.IsNullOrEmpty(digest) && CheckSpecialRoutingHeaders(context)) {
// Bypasses standard identity validation and initializes an elevated administrative session
InitializeElevatedSecurityContext(context);
} else {
// Normal execution path requiring validation
ValidateRequestDigest(digest);
}
}To resolve this vulnerability, Microsoft modified the request processing flow to enforce strict validation rules. The update completely removes the fallback pathway that allowed routing headers to override security context checks. The patched logic now strictly enforces X-RequestDigest validation across all execution branches.
// Patched C# implementation in Microsoft.Office.Server.UserProfiles
public void ProcessRequest(HttpContext context) {
string digest = context.Request.Headers["X-RequestDigest"];
// PATCH: Validate presence of the security digest unconditionally.
// Bypassing identity checks via routing headers is no longer permitted.
if (string.IsNullOrEmpty(digest)) {
context.Response.StatusCode = 401;
throw new UnauthorizedAccessException("Access denied: Missing request digest verification.");
}
ValidateRequestDigest(digest);
InitializeStandardSecurityContext(context);
}Exploitation of CVE-2026-56164 requires direct network access to the target SharePoint instance's client service endpoint located at /_vti_bin/client.svc. An attacker does not require prior authentication or specialized credentials to initiate the attack. The vector is executed solely through unauthenticated HTTP requests.
The attack begins by assembling a crafted SOAP payload designed to invoke administrative endpoints within the User Profiles service. The attacker transmits this SOAP payload while intentionally omitting the X-RequestDigest header. To trigger the bypass, specific secondary routing headers are appended to the HTTP request to direct execution to the unvalidated pathway.
When the vulnerable server receives the request, it executes the payload within the context of an administrative session. This leads to privilege escalation, allowing the attacker to alter site metadata, administrative permissions, or service configuration databases. Evidence of this exploit class has been observed in public repositories and actively tracked campaigns.
The impact of successful exploitation of CVE-2026-56164 is critical, primarily leading to unauthorized privilege escalation. While the direct integrity impact is classified as Low according to the CVSS metric, the resulting administrative elevation allows complete takeover of site collections and farm configurations. This compromise acts as an initial entry point for broader corporate network access.
According to the CVSS v3.1 vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, the vulnerability is rated with a base score of 5.3. However, the operational severity is heightened due to its inclusion in the CISA KEV catalog. Active exploitation indicates that threat groups are actively leveraging this flaw to compromise internet-exposed SharePoint infrastructure.
Once administrative access is achieved on a site collection, the scope of damage can be extended to confidential data exfiltration and persistent lateral movement. By modifying site permissions, adversaries can establish permanent backdoors, manipulate document repositories, or execute secondary exploits against the hosting Windows Server infrastructure.
Organizations operating vulnerable SharePoint instances must prioritize the installation of Microsoft security updates released in July 2026. The vulnerability is fully patched in SharePoint Enterprise Server 2016 (version 16.0.5561.1001), SharePoint Server 2019 (version 16.0.10417.20175), and SharePoint Server Subscription Edition (version 16.0.19725.20434).
If immediate patching is not feasible, network-level mitigations should be applied to reduce the attack surface. Administrators should restrict access to the /_vti_bin/client.svc endpoint using Web Application Firewalls (WAF) or IIS URL Rewrite Rules. These rules should block requests to the client service endpoint that do not contain valid authorization parameters.
<!-- Recommended IIS URL Rewrite Rule to block unauthenticated SOAP calls -->
<rule name="Block-ClientSvc-Bypass" stopProcessing="true">
<match url="_vti_bin/client.svc" />
<conditions>
<add input="{HTTP_X_RequestDigest}" pattern="^$" />
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Access Denied" />
</rule>Additionally, forensic monitoring should be configured to detect unauthorized privilege modifications. Security teams must audit the Site Collection Administrators group for unexpected additions and analyze IIS web server logs for anomalous POST requests directed at /client.svc that return HTTP 200 responses despite missing request digests.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N| Product | Affected Versions | Fixed Version |
|---|---|---|
SharePoint Enterprise Server 2016 Microsoft | >= 16.0.0, < 16.0.5561.1001 | 16.0.5561.1001 |
SharePoint Server 2019 Microsoft | >= 16.0.0, < 16.0.10417.20175 | 16.0.10417.20175 |
SharePoint Server Subscription Edition Microsoft | >= 16.0.0, < 16.0.19725.20434 | 16.0.19725.20434 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-306 |
| Attack Vector | Network (AV:N) |
| CVSS Score | 5.3 |
| Exploit Status | Active Exploitation |
| KEV Status | Listed |
The application does not perform any authentication check for a critical function that requires authorization.
CVE-2026-50661 is a security feature bypass vulnerability in Microsoft Windows BitLocker full-disk encryption. A physical attacker can exploit this flaw to bypass encryption controls, permitting unauthorized access to sensitive local storage and the modification of offline system configurations.
A high-severity input sanitization and header injection vulnerability in TsDProxy allows authenticated Tailscale users to inject arbitrary values into the X-Forwarded-For and X-Real-IP HTTP headers. Because downstream backend services frequently trust these headers to resolve client identities, attackers can exploit this flaw to bypass IP-based access control lists, audit logs, and geo-blocking restrictions.
CVE-2026-54448 is a critical denial of service vulnerability in Trivy's Infrastructure-as-Code (IaC) misconfiguration scanning engine. Prior to version 0.71.0, Trivy utilized a custom archive parser to unpack Helm chart tarballs (.tgz) during automated scans. This custom implementation iterated through compressed files and loaded their entire raw contents into system memory using the io.ReadAll function without implementing size limits or threshold checks, enabling an attacker to trigger an immediate heap-allocation crash or system Out-of-Memory (OOM) termination using a decompression bomb.
A critical remote code execution vulnerability exists in TidGi Desktop up to version 0.13.0. The flaw allows an attacker to execute arbitrary code with Node.js privileges when a user imports or clones a malicious TiddlyWiki repository. This occurs due to the automatic execution of 'startup' modules defined in user-imported tiddler files.
A critical Denial of Service (DoS) vulnerability in the Ech0 publishing platform allows unauthenticated remote attackers to exhaust CPU resources via a crafted Accept-Language header. By utilizing underscore separators instead of hyphens, the attack bypasses the CVE-2022-32149 guard within the Go language tag parser, triggering a quadratic-time complexity operation.
FacturaScripts is an open-source PHP-based enterprise resource planning (ERP) and billing software. A critical path traversal vulnerability in the file-handling logic allows authenticated attackers with file upload permissions to write arbitrary files to any location on the system writable by the web server user. By writing custom server configuration files (.htaccess) to directories excluded from default rewrite rules, attackers can map allowed file types (like .png) to the PHP interpreter, leading to full remote code execution.