[KEV] CVE-2026-32201 -- CVSS 0.0 Vulnerability Briefing

[KEV] CVE-2026-32201 | CVSS 0.0 (Low) | Exploit: Operational

What Is It

CVE-2026-32201 is an improper input validation vulnerability in Microsoft SharePoint Server that enables an unauthenticated, network-based attacker to perform spoofing attacks against affected installations.

Technical Detail

The flaw stems from insufficient validation of attacker-supplied input within Microsoft SharePoint Server, allowing a remote, unauthorized attacker to manipulate data or identity context over the network without requiring prior authentication. The spoofing impact suggests the vulnerability can be leveraged to impersonate users, forge requests, or misrepresent content in ways that could facilitate follow-on attacks such as credential theft or session hijacking. The precise triggering mechanism has not been fully disclosed publicly, but the network-accessible attack vector indicates exploitation does not require local access or user interaction beyond the target environment being reachable.

Exploitation Status

CISA has confirmed active exploitation in the wild, adding this vulnerability to the Known Exploited Vulnerabilities catalog on April 14, 2026. The exploit maturity is rated Operational, meaning functional exploit code capable of reliable, real-world use exists and has been observed being used against targets, not merely demonstrated in a controlled research context.

Who Is Targeting This

No specific threat actor attribution has been confirmed at this time. Given that SharePoint Server is widely deployed in enterprise and government environments, opportunistic actors as well as targeted intrusion groups are plausible sources of exploitation, but no named group has been publicly linked to this CVE as of the date of this briefing.

What To Do

Organizations should apply the relevant Microsoft security update for SharePoint Server immediately. Per CISA's binding operational directive, federal agencies are required to remediate this vulnerability by the deadline specified in the KEV catalog entry associated with the April 14, 2026 addition. If patching cannot be completed immediately, administrators should consider restricting network access to SharePoint Server from untrusted or external sources as an interim control, and should review authentication and access logs for anomalous spoofing indicators such as unexpected identity mismatches or forged request patterns. Monitor Microsoft's official Security Update Guide for patch availability and any updated workaround guidance specific to your SharePoint Server version.