CVE-2026-55040 is a Microsoft SharePoint Server security feature bypass vulnerability involving weak authentication. Successful exploitation can bypass authentication and allow impersonation, with high confidentiality and integrity impact and no availability impact. Microsoft rates it as Critical with a CVSS v3.1 base score of 9.1 and temporal score of 7.9. The attack vector is network, attack complexity is low, privileges required are none, and user interaction is none, which makes it relevant for enterprise environments where SharePoint is reachable over the network. Microsoft states exploitation is not publicly disclosed and not known to be exploited, but exploitation is marked as more likely. Highlights: - CVSS scores: Base 9.1 - Temporal 7.9 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN - Impact: Security Feature Bypass; confidentiality HIGH, integrity HIGH, availability NONE - Exploitation likelihood: Exploitation More Likely; network-based, low complexity, no privileges required, and no user interaction - Severity for enterprise: High risk for network-exposed SharePoint Server deployments because the issue is remotely reachable without authentication or user interaction - Patch status: available; customer action required Affected systems: - Microsoft SharePoint Server 2016 - Microsoft SharePoint Enterprise Server 2016