What is Microsoft SharePoint Server?
Microsoft SharePoint Server is an enterprise collaboration and document management platform used by organizations worldwide for intranet portals, team sites, document libraries, and workflow automation. SharePoint is deeply integrated into the Microsoft 365 ecosystem and is commonly deployed on-premises or in hybrid configurations. Its broad deployment across government agencies, financial institutions, healthcare organizations, and large enterprises makes it a high-value target — compromising a SharePoint server can provide attackers with access to sensitive documents, intranet data, and a foothold for lateral movement.
Overview
CVE-2026-32201 is a spoofing vulnerability in Microsoft SharePoint Server caused by improper input validation (CWE-20). An unauthenticated remote attacker can exploit the flaw over a network without any user interaction, triggering spoofing behavior that allows the attacker to view and manipulate sensitive information. The vulnerability carries a CVSS 3.1 score of 6.5 (Important).
The flaw was one of two zero-days patched in Microsoft's April 2026 Patch Tuesday, which addressed 167 vulnerabilities in total. Its simultaneous CISA KEV listing with a 17-year-old Excel vulnerability (CVE-2009-0238) on April 14, 2026 suggests active Microsoft-focused campaign activity.
Affected Versions
| Product | Vulnerable Version | Fixed In |
|---|---|---|
| Microsoft SharePoint Enterprise Server | 2016 | April 2026 Cumulative Update |
| Microsoft SharePoint Server | 2019 | April 2026 Cumulative Update |
| Microsoft SharePoint Server | Subscription Edition | April 2026 Security Update |
Patches are available via Microsoft Update, WSUS, and the Microsoft Security Response Center.
Technical Details
The vulnerability arises from insufficient validation of user-controlled input in Microsoft SharePoint's server-side processing logic. When a crafted request is submitted over a network, the server fails to properly sanitize or reject the malicious input, enabling spoofing — where the attacker can forge or manipulate the apparent identity or content of information.
Based on the CVSS vector and the nature of the flaw, the attack mechanism is consistent with cross-site scripting (XSS) or request forgery patterns, where attacker-controlled input is reflected or stored in ways that influence how information is presented to legitimate users or administrators.
| Attribute | Detail |
|---|---|
| CWE | CWE-20 — Improper Input Validation |
| Attack Vector | Network — exploitable remotely over HTTP/HTTPS |
| Authentication Required | None — no credentials needed |
| User Interaction | None — no victim action required to trigger the initial flaw |
| Complexity | Low — straightforward to exploit once a target is identified |
| Confidentiality Impact | Partial — attacker can view some sensitive information |
| Integrity Impact | Partial — attacker can manipulate disclosed information |
| Availability Impact | None |
Discovery
CVE-2026-32201 was classified as a zero-day at the time of the April 14, 2026 patch release, meaning it was being actively exploited in the wild before a fix was available. Microsoft confirmed active exploitation in the MSRC advisory. The specific researcher or organization that discovered and reported the vulnerability has not been publicly attributed at this time.
Exploitation Context
This vulnerability was patched as a zero-day on April 14, 2026, meaning exploitation was already underway before the patch was available. SharePoint servers are a consistent target for nation-state and financially motivated threat actors due to the sensitive document repositories they host.
The zero-day status and network-accessible, no-auth nature of the flaw makes it particularly dangerous in internet-facing SharePoint deployments. While CVSS scores it at 6.5 (Important rather than Critical), the combination of:
- No authentication required
- No user interaction needed
- Remote network exploitation
- Active zero-day exploitation status
…means the practical risk to unpatched organizations is significantly higher than the score alone implies.
SharePoint spoofing vulnerabilities can serve as a stepping stone in multi-stage attacks: an attacker who can manipulate SharePoint content or impersonate users may be able to harvest credentials, deliver malware via weaponized documents, or escalate to higher-privilege access within the SharePoint farm.
Remediation
- Apply the April 2026 Microsoft Security Update — patches are available for SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition via MSRC, Windows Update, or WSUS.
- Prioritize internet-facing SharePoint deployments — servers accessible from the public internet are at greatest immediate risk given the no-auth, network-exploitable nature of the flaw.
- If patching is not immediately possible, consider placing SharePoint behind a Web Application Firewall (WAF) or restricting access to trusted IP ranges to reduce exposure while scheduling the patch.
- Audit SharePoint access logs for anomalous unauthenticated requests or unusual patterns of data access that may indicate prior exploitation before the patch.
- Review user and content integrity — given the spoofing nature of the vulnerability, verify that sensitive SharePoint content has not been modified or that user identity tokens have not been abused.
- Apply defense-in-depth: enforce least-privilege permissions on SharePoint libraries, enable audit logging, and integrate SharePoint activity into your SIEM for ongoing monitoring.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2026-32201 |
| Vendor / Product | Microsoft — SharePoint Server |
| NVD Published | 2026-04-14 |
| NVD Last Modified | 2026-04-14 |
| CVSS 3.1 Score | 6.5 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
| Severity | MEDIUM |
| CWE | CWE-20 |
| CISA KEV Added | 2026-04-14 |
| CISA KEV Deadline | 2026-04-28 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2026-04-14 | Microsoft patches CVE-2026-32201 as part of April 2026 Patch Tuesday (167 CVEs); zero-day status confirmed — actively exploited before patch release |
| 2026-04-14 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2026-04-28 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2026-32201 | Vulnerability Database |
| Microsoft Security Response Center — CVE-2026-32201 | Vendor Advisory / Patch |
| CISA KEV Catalog Entry | US Government |
| Microsoft April 2026 Patch Tuesday fixes 167 flaws, 2 zero-days — BleepingComputer | News |
| Microsoft Issues Patches for SharePoint Zero-Day and 168 Other New Vulnerabilities — The Hacker News | News |
| Microsoft Patch Tuesday for April 2026 fixed actively exploited SharePoint zero-day — Security Affairs | News |
| Microsoft's April 2026 Patch Tuesday Addresses 163 CVEs (CVE-2026-32201) — Tenable | Security Research |
| The April 2026 Security Update Review — Zero Day Initiative | Security Research |
| CISA adds Microsoft SharePoint Server and Microsoft Office Excel flaws to KEV — Security Affairs | News |
| CWE-20 — Improper Input Validation | Weakness Classification |