HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-47298Published Modified CNA microsoft

CVE-2026-47298: Microsoft SharePoint Server Remote Code Execution Vulnerability

Improper authorization in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

Metrics

CVSS v3.1
8.0
Severity
HIGH
Fixed in
16.0.5556.1005
Affected Products
3

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An improper authorization vulnerability in Microsoft SharePoint Server allows a network-accessible attacker with a low-privilege account to execute arbitrary code on the server. Exploitation requires the attacker to hold valid SharePoint credentials and to get a victim user to perform an action (such as clicking a crafted link), but no admin rights are needed. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the affected SharePoint instance. Patched-image rebuilds at versions 16.0.5556.1005, 16.0.10417.20153, and 16.0.19725.20384 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle SharePoint components. Any image running an affected SharePoint version (below the respective fix builds) is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 8.0 (High) and surfaces it with that severity weighting against each environment's compliance policy, so teams with stricter SLAs see it prioritized accordingly. Findings are routed to the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available
Patch

Patched-image rebuilds at the fixed SharePoint versions (16.0.5556.1005 for Enterprise Server 2016, 16.0.10417.20153 for Server 2019, and 16.0.19725.20384 for Subscription Edition) are available on HarborGuard for affected images. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against the affected workloads automatically; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the SharePoint service over the network; the service must be exposed to the attacker's network path.

  • AuthenticationRequired

    A low-privilege SharePoint account is sufficient; no administrative or elevated credentials are needed.

  • Victim interactionRequired

    A legitimate SharePoint user must perform an action (such as clicking a crafted link or opening a malicious document) for the exploit to succeed.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific memory layout.

Blast Radius

  • Reads any content stored in SharePoint, including documents, lists, and stored credentials or tokens accessible to the server process.
  • Modifies or deletes SharePoint content, site configurations, and persisted database rows.
  • Crashes or degrades the SharePoint service, denying access to all users of the affected instance.
  • Enables lateral movement if the compromised server process has access to adjacent internal services or identity stores.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active across customer environments, matching images against all three affected SharePoint product lines as soon as the advisory was ingested. For environments running a vulnerable SharePoint version, rebuilt images at the patched build numbers are available immediately. Where compliance policy permits auto-remediation, HarborGuard triggers a rebuild at the appropriate fix version, executes the regression test run, and opens a pull request against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes. For environments where auto-remediation is not enabled, the CVE surfaces in the findings dashboard with CVSS 8.0 High severity and SLA countdown based on the team's configured policy. As a compensating control while patching is scheduled, consider applying network-policy rules to restrict unauthenticated or untrusted network paths to SharePoint endpoints, and review SharePoint user account provisioning to limit the pool of low-privilege accounts that could be leveraged.

See how HarborGuard automates this

Fix available

16.0.5556.100516.0.10417.2015316.0.19725.20384
Patch commits
Affected packages
  • Microsoft / Microsoft SharePoint Enterprise Server 2016
    < 16.0.5556.1005 (from 16.0.0)
  • Microsoft / Microsoft SharePoint Server 2019
    < 16.0.10417.20153 (from 16.0.0)
  • Microsoft / Microsoft SharePoint Server Subscription Edition
    < 16.0.19725.20384 (from 16.0.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References