The Zero Day Initiative published advisory ZDI-26-413 on July 15, 2026, documenting a remote code execution vulnerability in Microsoft SharePoint Server with a CVSS score of 9.8. The maximum severity stems from a flaw in the verification of cryptographic signatures on session security tokens, allowing a network attacker to execute arbitrary code without authentication, potentially in the context of the server's service account.
- ZDI-26-413 (CVE-2026-50522) carries a CVSS 9.8 CRITICAL rating: network attack vector, low complexity, no privileges required, no user interaction.
- The specific flaw resides in SharePoint's handling of session security tokens, specifically the lack of cryptographic signature verification.
- Affected versions are SharePoint Server 2019 and Subscription Edition on-premise; Microsoft has released corresponding patches.
- The vulnerability was discovered by splitline of the DEVCORE Research Team through the Pwn2Own program.
From Pwn2Own to Disclosure: 55 Days of Coordination
The report to Microsoft was made on May 21, 2026. Coordinated disclosure was published on July 15, 2026, after a 55-day interval. This timeline reflects the typical vulnerability management cycle for bugs reported through structured bug bounty programs like ZDI's. The "(Pwn2Own)" prefix in the advisory title confirms the vulnerability was demonstrated in a competitive exploitation context with a working Proof of Concept.
The credited researcher is splitline, a member of the DEVCORE Research Team. The source does not specify the full details of the PoC demonstrated during the competition, nor whether the demonstrated attack chain required additional vulnerabilities beyond ZDI-26-413.
"This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft SharePoint. Authentication is not required to exploit this vulnerability." — ZDI Advisory ZDI-26-413
The Mechanism: When the Cryptographic Signature Becomes Invisible
According to the ZDI advisory, "the specific flaw exists within the handling of session security tokens. The issue results from the lack of proper verification of a cryptographic signature." This technical formulation precisely identifies the vulnerable component: not a generic input parser, but the subsystem that manages session security tokens and validates their cryptographic signature.
The implication is that an attacker can forge or manipulate tokens that the server accepts as legitimate, bypassing the integrity check. The quote continues: "An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the service account." This indicates a potential exploit chain, although the source does not list which "other vulnerabilities" are required.
CVSS 9.8 CRITICAL: Why the Score Is Maximum
The CVE-2026-50522 record, published on cve.org, assigns the vulnerability a CVSS 3.1 score of 9.8 with a CRITICAL rating. The full vector string — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — encodes a particularly dangerous combination: network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction needed (UI:N), with high impact on confidentiality, integrity, and availability (C:H/I:H/A:H).
The absence of authentication and interaction requirements distinguishes this vulnerability from many others in enterprise applications, where a valid account or a victim clicking a link is typically required. In this case, the attack surface is open to any reachable network origin.
Immediate Actions
- Verify the installed SharePoint Server version: 2019 must be updated to 16.0.10417.20175 or later; Subscription Edition to 16.0.19725.20434 or later, per the versions indicated in the CVE record.
- Prioritize patch application in the nearest maintenance window, given the combination of network accessibility and lack of authentication prerequisites.
- Inspect SharePoint Server access logs for anomalies in session token usage patterns, although the source does not specify precise indicators of compromise.
- Review network architectures exposing on-premise SharePoint instances to the external network, considering attack surface reduction until the update is complete.
Context: Session Tokens and the Trust Chain in Enterprise Platforms
The vulnerability highlights a recurring pattern in Microsoft enterprise platforms: the delegation of security to token mechanisms that, when implemented with insufficient cryptographic verification, collapse the entire authentication perimeter. Session security tokens are designed to carry identity and authorization assertions; when the signature protecting them is not verified, the token becomes a vehicle for arbitrary impersonation.
The source does not specify whether the flaw affects related SharePoint components or whether the same verification logic is replicated in other Microsoft products. It also remains unconfirmed whether the vulnerability was exploited in-the-wild prior to patch publication. The service account context in which code executes is not qualified: the source does not indicate whether it is SYSTEM, NETWORK SERVICE, or a dedicated account, resulting in variability in the actual impact of a successful exploit.
Frequently Asked Questions
Is SharePoint Online at risk?
No. Affected versions are exclusively SharePoint Server 2019 and Subscription Edition on-premise. The CVE record does not list SharePoint Online or Microsoft 365 services.
Why doesn't the ZDI advisory report the CVSS score?
The CVSS field in the extracted ZDI advisory is empty; however, the CVE-2026-50522 record on cve.org confirms the 9.8 CRITICAL score with the full vector string. Convergence between primary sources makes the data reliable.
What does "in conjunction with other vulnerabilities" mean?
The quote from the ZDI source indicates that full exploitation might require chaining with other flaws, but does not specify which. It is therefore not possible to determine whether ZDI-26-413 is sufficient on its own for code execution or requires additional components.
Sources
- http://www.zerodayinitiative.com/advisories/ZDI-26-413/
- https://www.cve.org/CVERecord?id=CVE-2026-50522
- http://www.zerodayinitiative.com/advisories/upcoming/
Information has been verified against cited sources and updated at time of publication.