Microsoft released its July 2026 security updates on July 14, and among the patches is a fix for CVE-2026-55034—an Important-rated cross-site scripting (XSS) flaw in on-premises SharePoint Server. With a CVSS base score of 7.3, the vulnerability could let an authenticated attacker inject untrusted content that gets executed when another user views a specially crafted SharePoint page. The good news: there’s no evidence of active exploitation, and the patch is available now. The catch? You’ll need more than just clicking “Install.” SharePoint farms demand a careful, multi-step update process, and missing a prerequisite or post-configuration step could leave you exposed.

What Actually Changed in the July Patches

CVE-2026-55034 stems from improper neutralization of input during web page generation—a classic XSS vulnerability. An attacker who already has a low-privilege account within your SharePoint environment can create content that, when viewed by another user (including a high-privilege admin), triggers malicious scripts. Because the attack originates from a trusted internal domain, users are far more likely to fall for convincing spoofs, fake login prompts, or data-theft schemes.

The CVSS vector tells the story: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N. It’s network-accessible, low complexity, requires low privileges and user interaction. The impact on confidentiality and integrity is high, but availability isn’t affected—your servers won’t crash, but your data might be siphoned.

Microsoft has confirmed the vulnerability affects three on-premises product branches:
- SharePoint Enterprise Server 2016 (fixed in build 16.0.5561.1001)
- SharePoint Server 2019 (fixed in build 16.0.10417.20175)
- SharePoint Server Subscription Edition (fixed in build 16.0.19725.20434)

The Subscription Edition patch arrives as KB5002882, a cumulative update that also addresses several other security issues. This build supersedes last month’s KB5002873. Notably, SharePoint Online is not affected; Microsoft’s cloud service receives automatic patches, so only on-premises administrators need to take manual action.

What This Means for Your Organization

If you run any on-premises SharePoint farm, this is a patch you cannot ignore. While Microsoft rates exploitation as “less likely” and reports no current attacks, the combination of low complexity and the trust users place in internal portals makes this a juicy target. A disgruntled employee, a compromised vendor account, or a phished set of credentials could give an attacker the foothold they need to craft targeted XSS payloads. Once inside, they could impersonate other users, steal session tokens, or redirect colleagues to malicious sites—all under the cover of your legitimate SharePoint URL.

The good news: the patch is straightforward—if you follow the book. For SharePoint Server Subscription Edition, KB5002882 is available via Microsoft Update, the Update Catalog, and the Download Center. But administrators must also run the SharePoint Products Configuration Wizard (PSConfig) on every server in the farm to complete the upgrade. A server showing “update installed” without completing PSConfig is not protected.

And there’s more. Microsoft’s support documentation highlights several critical prerequisites and post-install steps that, if skipped, could break core functionality or leave the server in a half-patched state.

How We Got Here: A Familiar Pattern

SharePoint’s history is littered with XSS and spoofing bugs, often requiring urgent patches. Just last month, a SharePoint 2010 workflow regression was introduced by the June 2026 update, which caused workflows to fail to start. KB5002882 explicitly fixes that regression—making this update doubly important for organizations that skipped June’s release or rolled it back.

The complexity of on-premises SharePoint patching isn’t new, either. Unlike a monthly Windows update, SharePoint farms often integrate deeply with workflow engines, custom web parts, and line-of-business applications. A blind “patch all the things” approach can break more than it fixes. This is why Microsoft advises specific sequences for Workflow Manager customers.

For the Subscription Edition, KB5002799—a prerequisite for the Workflow Manager—must be installed before KB5002882. Environments still running classic Workflow Manager must also set a debug flag (53601), update the farm, and then reset IIS. And after applying KB5002882, admins must set DisableActorTokenAudienceValidation to $true, temporarily turning off a defense-in-depth validation that’s under development and might cause regressions. These aren’t cosmetic steps; they directly impact how Workflow Manager and token validation behave.

What to Do Now: A Step-by-Step Patching Plan

If you’re a SharePoint administrator, here’s your action plan for July 2026:

1. Identify Your Exact SharePoint Version and Build

Check the current build number via Central Administration > System Settings > Manage servers in this farm, or run (Get-SPFarm).BuildVersion in PowerShell. This determines which patch you need.

2. Download the Correct Patch

  • SharePoint Server 2016: Look for the July 2026 cumulative update; install build 16.0.5561.1001.
  • SharePoint Server 2019: Install build 16.0.10417.20175.
  • SharePoint Server Subscription Edition: Install KB5002882 from the Microsoft Update Catalog or WSUS. If you use Workflow Manager, remember to first install KB5002799.

3. Apply Prerequisites (Workflow Manager Only)

If your farm uses SharePoint Workflow Manager:
- Install KB5002799 before applying the main security update.
- If using classic Workflow Manager, add farm debug flag 53601. Microsoft’s documentation provides the exact PowerShell commands; test this in a staging farm before touching production.

4. Patch All Servers in the Farm

Run the update installer on each server that runs SharePoint (application servers, web front-ends). Do not complete PSConfig immediately on all of them—follow your organization’s procedure. Typically, you install the bits on all servers first, then run the configuration wizard sequentially, starting with the server hosting Central Administration.

5. Run PSConfig

This step upgrades the databases and completes the patch. You can use the GUI wizard or command-line psconfig.exe -cmd upgrade -inplace b2b -wait. After completion, verify the build number again; all servers should now show the target build.

6. Perform Post-Patch Steps

For Subscription Edition:
- Run Set-SPDisableActorTokenAudienceValidation $true as instructed by Microsoft. This disables a feature that may cause issues; it’s a temporary measure.
- If you previously set the classic Workflow Manager flag, ensure IIS has been reset.

7. Verify Workflows and Customizations

After patching, test workflows (especially SharePoint 2010 workflows if you rely on them), custom web parts, and any third-party solutions. The regression fix for workflow failures should now be in place, but double-check critical business processes.

8. Monitor Logs and User Reports

In the days following the patch, watch for unusual errors in SharePoint ULS logs and reports from users about broken functionality. If something breaks, the flag-based workarounds may be involved.

Even if you cannot patch immediately, start planning. In the meantime, review accounts that have contributor or higher privileges on critical sites. Audit any suspicious list or page modifications. But remember: these are temporary defenses. The only lasting fix is the update.

Outlook: Stay Vigilant

Microsoft’s July patches address CVE-2026-55034 and a clutch of other issues, but SharePoint’s complexity ensures future updates will demand similar care. Bookmark the MSRC advisory page for this CVE, and subscribe to Microsoft’s technical security notifications. While no active exploits are in the wild now, XSS flaws in enterprise collaboration platforms are always a tempting target for attackers once a patch reverse-engineering cycle begins. The real measure of safety isn’t whether you downloaded the patch—it’s whether your farm’s build numbers match the corrected versions and all post-configuration steps are complete.

Don’t wait: a confirmed, low-complexity vulnerability sitting at the heart of your intranet deserves a prompt and methodical response.