Am I affected by CVE-2026-32201?

SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition (the 'continuous update' on-premises edition) without the April 2026 security update.

How do I fix CVE-2026-32201?

Install the April 2026 Patch Tuesday security updates for each affected SharePoint version. If a server cannot be patched immediately, pull it off the public internet and put it behind a VPN or Zero Trust gateway, and monitor authentication logs for unexpected token-generation patterns. After patching, audit the last 10 days of SharePoint auth logs and any connected Office 365 federated token issuance for anomalies, since the patch will not retroactively invalidate tokens minted during exploitation.

Over 1,300 SharePoint servers still exposed to ongoing spoofing attacks a week after Microsoft's patch (CVE-2026-32201)

vulnerability

CVE-2026-32201

2026-04-22

Over 1,300 SharePoint servers still exposed to ongoing spoofing attacks a week after Microsoft's patch (CVE-2026-32201)

Shadowserver data shows 1,300+ internet-exposed Microsoft SharePoint servers remain unpatched against CVE-2026-32201, a spoofing flaw Microsoft confirmed as a zero-day and CISA added to its Known Exploited Vulnerabilities catalog the same day the fix dropped in April Patch Tuesday. Fewer than 200 systems have been patched since the update shipped last week. The flaw affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. An unauthenticated attacker can perform network spoofing through improper input validation in a low-complexity attack that needs no user interaction, letting them view sensitive information and modify data, though not affect availability. Microsoft has not described the exploitation technique or attributed the attacks to a specific group, which is unusual for a zero-day and hints at an ongoing investigation. CISA ordered federal agencies to patch by April 28 under Binding Operational Directive 22-01, and given ongoing in-the-wild abuse, private-sector operators should treat that as their own deadline. SharePoint's habit of holding cached Office 365 tokens, SharePoint-signed refresh tokens, and IP on sensitive business processes makes any compromise a serious lateral-movement foothold, not a minor information disclosure.

Check: Inventory every on-premises SharePoint instance in your environment (including dev and staging that may be exposed to the internet) and verify that the April 2026 Patch Tuesday update for CVE-2026-32201 is installed.
Affected: SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition (the 'continuous update' on-premises edition) without the April 2026 security update.
Fix: Install the April 2026 Patch Tuesday security updates for each affected SharePoint version. If a server cannot be patched immediately, pull it off the public internet and put it behind a VPN or Zero Trust gateway, and monitor authentication logs for unexpected token-generation patterns. After patching, audit the last 10 days of SharePoint auth logs and any connected Office 365 federated token issuance for anomalies, since the patch will not retroactively invalidate tokens minted during exploitation.