Microsoft shipped the July 14 security updates for SharePoint Server — and for SharePoint 2016 and 2019, they are the last. Alongside a grab-bag of fixes, the release squashes CVE-2026-55051, a server-side request forgery (SSRF) vulnerability that lets an attacker with a low-privilege account read sensitive information from an on-premises farm. Because both aging platforms exit extended support on the very same day, this is the final scheduled patch train. IT teams now have one clear task: install the updates, validate the farm, and accelerate migration — in that order.

What actually changed

CVE-2026-55051 lives in the ‘important’ bracket with a CVSS 3.1 base score of 6.5. It’s an information-disclosure flaw classified as CWE-918, meaning an authenticated user can trick the SharePoint server into making requests to internal resources it can reach but the attacker normally cannot. The server then returns the fetched data to the attacker. Microsoft’s vector string — AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N — spells out the contours: the attack works over a network, requires no special user interaction, and demands only a low-privilege account. Only confidentiality takes a hit; there’s no impact on integrity or availability.

Three generations of on-premises SharePoint need different packages:

Product Vulnerable builds below Required update KB
SharePoint Enterprise Server 2016 16.0.5561.1001 KB5002891
SharePoint Server 2019 16.0.10417.20175 KB5002883
SharePoint Server Subscription Edition 16.0.19725.20434 KB5002882

The Subscription Edition’s KB5002882 is a bulky cumulative security release that also patches remote-code-execution, spoofing, and elevation-of-privilege bugs across SharePoint and Word. Crucially, it fixes a nonsecurity regression from June that broke SharePoint 2010 workflows. That gives farms hit by that bug a second reason to move to the July build.

What it means for your farm

For most organizations, SharePoint is a tier-1 collaboration hub holding financial data, HR records, legal docs, and line-of-business reports. An SSRF hole lets an attacker — someone who already has a standard user account — reach past the web front-end to internal services that aren’t supposed to be accessible. Think metadata stores, configuration endpoints, or internal APIs. The attacker doesn’t need to be an admin; a single compromised guest or phished account is enough.

Because the vulnerability was not publicly disclosed nor exploited when the advisory was published, there’s no immediate panic. But the attack complexity is rated low, meaning a skilled adversary can weaponise the flaw quickly once it is reverse-engineered. Farms where many employees hold SharePoint accounts — including remote workers, guests, or external partners — have a wide attack surface and should treat the patch as urgent.

For the Subscription Edition, the July update is just another cumulative rollup in a steady stream. For 2016 and 2019, it’s a dead end. There won’t be another scheduled security fix unless Microsoft announces an exceptional servicing arrangement. Staying on an unsupported SharePoint farm that faces the internet is a high-stakes gamble.

How we got here

Microsoft’s lifecycle policy for SharePoint Server 2016 and 2019 set extended support to end on July 14, 2026. That date didn’t sneak up — it’s been visible on the lifecycle page for years — but the confluence with this vulnerability makes it a sharp deadline. The June updates introduced a regression that halted legacy workflows, which Microsoft acknowledged and resolved in the July patch. So for many admins, this update also restores important business process automation.

The Subscription Edition launched in March 2021 as a continually serviced on-premises replacement. It shares the same core codebase but receives feature and security updates through a modern cumulative model. Microsoft has been nudging classic-farm owners toward that edition or to SharePoint Online for years; the end of support now forces the decision.

What to do now

1. Identify your current build

Run Get-SPProduct -Local on each server or check Central Administration > Manage servers in this farm. Patch levels must match across all servers; if you’re behind on any node, the farm is vulnerable.

2. Address Workflow Manager prerequisites

If your farm uses SharePoint Workflow Manager, install workflow update KB5002799 before the SharePoint cumulative update. If you still run the Classic Workflow Manager (deprecated but present in many older farms), add server debug flag 53601 and restart IIS after applying the SharePoint patch. Skipping this step can break custom workflows.

3. Download and deploy the right update

  • SharePoint 2016: KB5002891
  • SharePoint 2019: KB5002883
  • Subscription Edition: KB5002882 (supersedes June’s KB5002873)

Deploy to all servers in the farm in a controlled maintenance window. Microsoft recommends running the installer as a farm administrator, then executing the SharePoint Products Configuration Wizard (or PSConfig from a command line) on each machine. This step syncs databases and upgrades configuration data.

4. Handle the Subscription Edition actor-token quirk

After PSConfig completes, open SharePoint Management Shell, run:

$farm = Get-SPFarm
$farm.DisableActorTokenAudienceValidation = $true
$farm.Update()

This is a workaround for a defense-in-depth feature still under development; it does not replace the security fix.

5. Verify the build

Check Programs and Features > View installed updates on each server to confirm the KB appears, then spot-check a site collection to ensure workflows, search, and authentication work.

6. Plan your off-ramp from 2016/2019

You’re now running the final supported build. If you haven’t already, start an inventory of customizations, third-party solutions, and authentication integrations. Choose a target — Subscription Edition for on-premises continuity or SharePoint Online for cloud-native — and begin testing migration paths. Farms that hold sensitive data and are internet-facing should prioritise the move before the threat landscape catches up.

Outlook

Microsoft did not rate CVE-2026-55051 as exploited in the wild, and no public proof-of-concept code was available at release. That buys admins a short window. But history shows SSRF flaws in SharePoint earn attention: in previous years, similar bugs were abused in targeted attacks within days of disclosure. The finality of July 14 for 2016 and 2019 turns this patch into a forcing function — not just a security to-do, but a milestone that separates supported operations from exposure. The smart money installs the update this week and spends the next few months packing bags.