On July 14, 2026, Microsoft issued what appears to be the final security patch for SharePoint Server 2016 and 2019—a fix for a high-severity elevation-of-privilege vulnerability that could let an authenticated attacker take full control of a SharePoint farm. The update, tracked as CVE-2026-58277, arrived on the same day both products reached their extended-support end date, turning an urgent patching decision into a stark reminder that any on-premises SharePoint farm left unpatched after July 14 will never receive another security update.
What the Vulnerability Allows
According to Microsoft’s Security Response Center advisory, CVE-2026-58277 stems from improper authorization (CWE-285) in SharePoint Server. An authenticated attacker with even low-level access can exploit this flaw over the network to elevate privileges. No user interaction is required, and attack complexity is low. The CVSS 3.1 score of 8.8 reflects the potential for full compromise: an attacker could read sensitive documents, alter content or configurations, and disrupt service availability. In practical terms, a compromised service account, a contractor login, or a successful phishing attack against a standard user could become the gateway to controlling your entire SharePoint farm. The attack vector string (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) confirms that the threat is remote, simple to execute, and needs only a basic foothold.
The Patch: KBs, Builds, and Configuration
The July 14 security updates are separate for each affected version. Install the correct package and then run the SharePoint Products Configuration Wizard (PSConfig) on every server in the farm. Skipping the configuration step leaves the farm vulnerable even after binary deployment.
| SharePoint Version | Required Update | Additional Language Pack Update | Secure Build Number (or higher) |
|---|---|---|---|
| SharePoint Server 2016 | KB5002891 | KB5002892 | 16.0.5561.1001 |
| SharePoint Server 2019 | KB5002883 | KB5002885 | 16.0.10417.20175 |
SharePoint Server Subscription Edition, while having its own July package (KB5002882), is not listed as affected. SharePoint Online is also immune, so hybrid deployments must recognize that the risk sits entirely in the on-premises portion of the infrastructure.
Who Is at Risk (and Who Isn’t)
Only on-premises SharePoint Server 2016 and 2019 are in scope. No other version—including SharePoint Online, Subscription Edition, or older products—is impacted by this CVE. However, hybrid environments are a common pitfall: your Microsoft 365 tenant may be secure, but an on-premises farm integrated with Azure AD or serving legacy workflows could still harbor the vulnerability. Check every server in your topology, including development, test, disaster-recovery, and disconnected administration nodes. These often slip past routine patching, yet they hold valid credentials and can be exploited if the network boundary is breached.
Why the Date Matters: Support Ends Now
July 14, 2026, isn’t just another Patch Tuesday. It’s the official end of extended support for both SharePoint Server 2016 and SharePoint Server 2019 according to Microsoft’s lifecycle policy. No further security updates will be released for these products. CVE-2026-58277 therefore represents the last official patch they will ever receive. Delaying its installation means leaving a known, high-impact vulnerability open indefinitely with no future safety net. The timing also upends migration timelines: moving to SharePoint Server Subscription Edition or SharePoint Online was already Microsoft’s recommended path, but now the risk calculus demands immediate action.
Immediate Steps for Administrators
- Apply the right update: Confirm that KB5002891 (2016) or KB5002883 (2019) is approved and installed on all farm nodes via WSUS, Configuration Manager, or your patch management tool.
- Run PSConfig: On every server, launch the SharePoint Products Configuration Wizard to update the configuration database.
- Verify build numbers: Use Central Administration or PowerShell (
Get-SPProduct -Local) to ensure the farm is at or above the thresholds in the table above. - Patch out-of-band if necessary: CISA’s vulnerability enrichment currently records no known exploitation, but the low attack complexity and inevitable reverse engineering of the patch mean that a public exploit could surface quickly. Do not wait for your next scheduled maintenance window.
- Monitor for prior compromise: While there’s no indication of active exploitation as of July 15, review your environment for anomalies: recently elevated site collection administrators, unexpected changes to SharePoint or Active Directory groups, new app principals or service accounts, and unusual access to Central Administration. Preserve IIS logs, SharePoint ULS logs, and Windows Security event logs before normal rotation deletes them.
Beyond Patching: Audit and Migration
Installing this final patch does not restore support. SharePoint 2016 and 2019 are now unsupported platforms. Any future vulnerability discovered will remain unpatched, and compliance frameworks may flag your environment as non-compliant. Start an immediate inventory of custom solutions, legacy workflows, and third-party integrations that could complicate a move to Subscription Edition or the cloud. Engage stakeholders to set a hard deadline for decommissioning or migrating these farms. The patch closes today’s door, but the building itself is now condemned.
What to Watch Next
Security researchers typically reverse-engineer patches within days, so technical details and possibly proof-of-concept code may appear soon. Even without known exploitation today, organizations that remain unpatched a week from now will be playing with fire. Additionally, while Subscription Edition isn’t affected, its shared codebase could attract renewed scrutiny: verify that any future Subscription Edition updates are applied promptly. For now, the priority is twofold: patch this CVE immediately, and then plan your exit from these end-of-life products before the next vulnerability arrives without a fix.