CVE-2026-20951
Published: 13 January 2026
Summary
CVE-2026-20951 is a high-severity Improper Input Validation (CWE-20) vulnerability in Microsoft Sharepoint Server. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 20.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires identification, reporting, and timely remediation of known flaws like the improper input validation in CVE-2026-20951, preventing exploitation through patching.
Directly mandates implementation of input validation to address the core CWE-20 improper input validation vulnerability in Microsoft Office SharePoint.
Implements memory protections such as DEP and ASLR to mitigate arbitrary local code execution even if input validation fails.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper input validation enables local arbitrary code execution on client systems when a user opens a malicious file or performs an action in SharePoint, directly mapping to client-side exploitation and user-assisted malicious file execution.
NVD Description
Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to execute code locally.
Deeper analysisAI
CVE-2026-20951, published on 2026-01-13, is an improper input validation vulnerability (CWE-20) affecting Microsoft Office SharePoint. The issue stems from inadequate validation of inputs, enabling an unauthorized attacker to execute code locally on the targeted system. It carries a CVSS v3.1 base score of 7.8, rated as high severity with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.
Exploitation requires local access to the victim's machine (AV:L) with low attack complexity (AC:L) and no privileges (PR:N), but user interaction is necessary (UI:R), such as tricking the user into opening a malicious file or performing a specific action within SharePoint. A successful attack allows arbitrary code execution in the local context without scope changes (S:U), resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H).
Microsoft's Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20951 provides guidance on mitigation and patching for this vulnerability.
Details
- CWE(s)