Improper input validation in Microsoft Office SharePoint

CVE-2026-32201 is an improper input validation flaw in on-prem Microsoft SharePoint Server that lets an unauthenticated network attacker perform spoofing. Affected ranges published by Microsoft/CVE data are SharePoint Server 2016 before 16.0.5548.1003, SharePoint Server 2019 before 16.0.10417.20114, and SharePoint Server Subscription Edition before 16.0.19725.20210. SharePoint Online is not in the affected product list tied to this CVE.

Microsoft's 6.5/MEDIUM score is technically coherent for the *direct* impact: low confidentiality and integrity impact, no availability impact, and no public evidence that this bug alone becomes RCE. But that vendor label undershoots defender reality because this flaw is KEV-listed, confirmed exploited, unauthenticated, and often reachable on high-value collaboration systems. For an enterprise patch queue, that combination pushes it out of backlog territory and into HIGH priority even though it is not a classic internet-wormable takeover bug.

Why this verdict

• Upward pressure: KEV-listed and actively exploited — once CISA marks exploitation as active, vendor base score stops being the whole story.
• Upward pressure: unauthenticated remote reachability — PR:N and UI:N on a collaboration platform means exposed farms can be hit at scale with commodity HTTP tooling.
• Downward pressure: attacker position still requires exposed SharePoint — this is not broad Windows reachability; it only matters where on-prem SharePoint exists and is reachable.
• Downward pressure: published impact is partial, not takeover — Microsoft's own vector says low C/I and no A, with no public evidence here of standalone RCE.
• Downward pressure: modern controls can reduce population — reverse proxies, VPN-only publishing, WAFs, and IP restrictions materially shrink real-world exposure.

Why not higher?

I am not calling this CRITICAL because the published direct impact is spoofing with partial C/I impact, not unauthenticated RCE or auth bypass with obvious full compromise. It also depends on a specific product population—on-prem SharePoint—and a meaningful chunk of enterprises either do not expose it publicly or front it with compensating controls that reduce attacker reach.

Why not lower?

I am not leaving this at MEDIUM because attackers are already using it, and the combination of AV:N / PR:N / UI:N on SharePoint is exactly the sort of thing that burns defenders who sort by vendor CVSS alone. A KEV-listed bug on a document and workflow platform can become the first move in a larger intrusion even if the CVE itself is not headline-grabbing RCE.

1. Remove direct internet exposure — Put exposed SharePoint behind VPN, private access, IP allowlists, or a tightly controlled reverse proxy within hours because KEV status overrides the normal HIGH mitigation window. This directly cuts off the unauthenticated remote path that matters most for this CVE.
2. Constrain published paths — Limit which SharePoint web apps, alternate access mappings, and external zones are published, and disable any nonessential externally reachable functionality within hours. The goal is to reduce the request surface available before patch validation completes.
3. Turn on aggressive request monitoring — Collect and review IIS, ULS, proxy, WAF, and identity logs for anomalous unauthenticated requests, odd headers, and suspicious query patterns within hours. Detection quality for the initial exploit may be imperfect, so you want broad telemetry around the server and adjacent identity systems.
4. Validate patch presence independently — Do not trust WSUS/SCCM success states alone; verify build numbers on every SharePoint node within hours because mixed farms and out-of-band nodes are common operational failure points.
5. Hunt for follow-on misuse — Review document access anomalies, privileged workflow changes, suspicious service-to-service activity, and identity pivots within hours. The CVE's real danger is often what it enables next, not the published low-impact label.

Run this on each SharePoint server node in the farm from an elevated PowerShell session. Example: powershell -ExecutionPolicy Bypass -File .\Test-CVE-2026-32201.ps1; it needs local admin rights to read SharePoint install paths and file versions.

# Test-CVE-2026-32201.ps1

# Checks local SharePoint build against Microsoft fixed versions for CVE-2026-32201.

# Output: VULNERABLE / PATCHED / UNKNOWN

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


[CmdletBinding()]
param()

$ErrorActionPreference = 'Stop'

function Get-SharePointDllPath {
    $candidates = @(
        'C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.dll',
        'C:\Program Files\Common Files\microsoft shared\Web Server Extensions\15\ISAPI\Microsoft.SharePoint.dll'
    )

    foreach ($p in $candidates) {
        if (Test-Path $p) { return $p }
    }

    return $null
}

function Compare-Version {
    param(
        [Parameter(Mandatory=$true)][string]$A,
        [Parameter(Mandatory=$true)][string]$B
    )

    try {
        $va = [version]$A
        $vb = [version]$B
    } catch {
        throw "Unable to parse version string(s): '$A' or '$B'"
    }

    if ($va -lt $vb) { return -1 }
    if ($va -gt $vb) { return 1 }
    return 0
}

try {
    $dll = Get-SharePointDllPath
    if (-not $dll) {
        Write-Output 'UNKNOWN - Microsoft.SharePoint.dll not found in expected SharePoint paths'
        exit 2
    }

    $fv = (Get-Item $dll).VersionInfo.FileVersion
    if (-not $fv) {
        Write-Output 'UNKNOWN - Unable to determine local SharePoint file version'
        exit 2
    }

    $fixed2016 = '16.0.5548.1003'
    $fixed2019 = '16.0.10417.20114'
    $fixedSE   = '16.0.19725.20210'

    $family = 'UNKNOWN'
    $status = 'UNKNOWN'
    $reason = ''

    # Heuristic based on published fixed build bands.

    # SharePoint 2016 builds are far lower than 2019/SE builds.

    # 2019 is lower than Subscription Edition in the published April 2026 fixed builds.


    if ((Compare-Version -A $fv -B '16.0.7000.0') -lt 0) {
        $family = 'SharePoint Server 2016'
        if ((Compare-Version -A $fv -B $fixed2016) -lt 0) {
            $status = 'VULNERABLE'
            $reason = "build $fv is older than fixed build $fixed2016"
        } else {
            $status = 'PATCHED'
            $reason = "build $fv is at or above fixed build $fixed2016"
        }
    }
    elseif ((Compare-Version -A $fv -B '16.0.15000.0') -lt 0) {
        $family = 'SharePoint Server 2019'
        if ((Compare-Version -A $fv -B $fixed2019) -lt 0) {
            $status = 'VULNERABLE'
            $reason = "build $fv is older than fixed build $fixed2019"
        } else {
            $status = 'PATCHED'
            $reason = "build $fv is at or above fixed build $fixed2019"
        }
    }
    else {
        $family = 'SharePoint Server Subscription Edition'
        if ((Compare-Version -A $fv -B $fixedSE) -lt 0) {
            $status = 'VULNERABLE'
            $reason = "build $fv is older than fixed build $fixedSE"
        } else {
            $status = 'PATCHED'
            $reason = "build $fv is at or above fixed build $fixedSE"
        }
    }

    Write-Output ("{0} - {1} - {2}" -f $status, $family, $reason)

    switch ($status) {
        'PATCHED'    { exit 0 }
        'VULNERABLE' { exit 1 }
        default      { exit 2 }
    }
}
catch {
    Write-Output ('UNKNOWN - ' + $_.Exception.Message)
    exit 2
}

Sources

1. NVD entry for CVE-2026-32201
2. OpenCVE record with Microsoft CNA and CISA ADP enrichment
3. Microsoft Support - SharePoint Server 2016 April 14 2026 update (KB5002861)
4. Microsoft Support - SharePoint Server 2019 April 14 2026 update (KB5002854)
5. Microsoft Support - SharePoint Server Subscription Edition April 14 2026 update (KB5002853)
6. Shadowserver Vulnerable HTTP Report
7. Tenable CVE plugin coverage
8. CVEFind EPSS and KEV enrichment