Vulnerability Description
CVE-2026-50522 and CVE-2026-58644 are both deserialization of untrusted data vulnerabilities in Microsoft Office SharePoint Server where an unauthorized attacker can send crafted network requests to a vulnerable SharePoint instance and achieve remote code execution without authentication. Both CVEs carry a CVSS v3 base score of 9.8 and were disclosed in the same Microsoft security advisory cycle on July 14, 2026.
The two vulnerabilities followed very different paths to disclosure. Researchers found CVE-2026-50522 and reported it through Pwn2Own (ZDI-26-412), while Microsoft says CVE-2026-58644 is already being exploited in the wild. Microsoft fixed both in the same update. This vulnerability class was also involved in the July 2025 SharePoint ToolShell campaign (CVE-2025-53770), which was mass-exploited against on-premises servers. With exploitation of CVE-2026-58644 already confirmed, organizations running affected SharePoint versions should apply the update as soon as possible.

| Field | Description |
| CVE-ID | CVE-2026-50522 — CVSS v3 9.8 (critical) — assigned by Microsoft CVE-2026-58644 — CVSS v3 9.8 (critical) — assigned by Microsoft |
| Vulnerability Description | CVE-2026-50522 and CVE-2026-58644 are Microsoft Office SharePoint Server vulnerabilities that allow an unauthorized attacker to send crafted network requests to a vulnerable SharePoint instance and achieve RCE without authentication. |
| Date of Disclosure | July 14, 2026 |
| Affected Assets | Microsoft Office SharePoint Server |
| Vulnerable Software Versions | The affected products are the on-premises editions of Microsoft SharePoint Server: SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. Microsoft has patched SharePoint Online, the Microsoft 365 cloud service. No further action is needed for customers of SharePoint Online. See the Censys ARC Perspective below for how this breaks down across the Internet. |
| PoC Available | No public proof-of-concept exploit code is published for either CVE as of 2026-07-16. CVE-2026-50522 originated as a Pwn2Own submission (ZDI-26-412) and has no known public exploit. For CVE-2026-58644, Microsoft’s advisory marks it exploited in the wild but not publicly disclosed. |
| Exploitation Status | CVE-2026-58644: Microsoft’s advisory marks it as exploited, with no public disclosure. CVE-2026-50522: no confirmed exploitation in the wild as of 2026-07-16, and not in CISA KEV. A working exploit does exist, though: it was demonstrated in Pwn2Own (ZDI-26-412), even if that code is not public. |
| Patch Status | Microsoft shipped fixes for both CVEs in its July 2026 security update. Apply the July 2026 SharePoint cumulative update to every affected server as soon as possible. The exact fixed build varies by edition and by CVE, so confirm the target build from the Microsoft Security Update Guide links in the References. If you cannot patch right away, reduce exposure by placing SharePoint behind a WAF or limiting Internet-facing access. |
Censys ARC Perspective
SharePoint reports its version in the MicrosoftSharePointTeamServices response header, but not in a form that can be cleanly interpreted: the value is 16.0.0.<build>, where the meaningful build number sits in the fourth position. The range it falls into tells you the edition: 2016, 2019, Subscription Edition, or the cloud-only SharePoint Online. By parsing the value in that field, Censys can separate on-premises SharePoint from SharePoint Online. Censys observes roughly 334,000 SharePoint web properties, almost all of them SharePoint Online, which Microsoft operates and patches centrally. Counting hosts rather than web properties, about 1,500 run the self-managed, on-premises editions, predominantly SharePoint 2019 with smaller fractions identifying as 2016 and Subscription Edition.
The hosting data reveals an important distinction. Microsoft’s network contains the largest concentration of exposed hosts, but these systems report on-premises SharePoint Server builds rather than SharePoint Online versions. They appear to be customer-managed deployments hosted on Microsoft infrastructure, not instances patched by Microsoft as part of SharePoint Online. AWS has the next-largest concentration, followed by Google Cloud, OVH, DigitalOcean, and Hetzner. Much of the exposed on-premises SharePoint population runs on cloud infrastructure, but responsibility for patching still rests with the customer.
The United States accounts for by far the largest share of exposed hosts, with smaller concentrations in Germany, France, Canada, Iran, Australia, and other countries. The SharePoint response header also limits how precisely patch status can be assessed. It exposes the build number, but not the finer revision needed to identify every installed update. Hosts reporting a build older than the fixed release can be confirmed as out of date. For SharePoint 2019 and Subscription Edition, however, the fix changes only the revision while leaving the reported build unchanged. As a result, hosts on the current build cannot be confirmed as patched or unpatched from the header alone.
Censys queries:
host.services.software:(vendor:"microsoft" and product:"sharepoint_server") or web.software:(vendor:"microsoft" and product:"sharepoint_server")
services.software:(vendor:"Microsoft" and product:"SharePoint")
risks.name: {"Vulnerable Microsoft SharePoint Server [CVE-2026-50522]","Vulnerable Microsoft SharePoint Server [CVE-2026-58644]"}

