Critical SharePoint flaw CVE-2026-32201 — patch before the weekend

April 18, 2026

CISA added CVE-2026-32201 to KEV and the flaw is being exploited against SharePoint Server. Here is how to check whether your environment is exposed.

Microsoft shipped a fix for CVE-2026-32201 in the April 14 Patch Tuesday. The flaw is a spoofing bug in SharePoint Server that lets unauthenticated attackers forge legitimate-looking traffic over the network. It is already being used in live attacks and CISA set a remediation deadline of April 27 for U.S. federal agencies.

If you run SharePoint Online only, your tenant is not directly affected. But if you have an on-prem SharePoint server or a hybrid link via Entra Connect, act this week.

What happened

CVE-2026-32201 is a weakness in how SharePoint Server validates inbound data. An attacker can send crafted requests against an exposed SharePoint server and have it respond as if the traffic comes from a trusted source. That is enough to hijack sessions and manipulate content.

This is the third SharePoint on-prem CVE in six months. The pattern is clear: if you still run SharePoint locally, attackers are already looking.

Why it matters for Swedish SMBs

Even companies that have moved most workloads to Microsoft 365 often have a forgotten SharePoint server running an intranet portal or a document library from 2018. It sits there, patched occasionally, and nobody calls it — until now.

If you are 5–50 employees on M365 Business Premium for everything else, there is a strong chance your SharePoint on-prem is the weakest link in the entire environment.

What you should do

Inventory: does SharePoint Server run anywhere in the environment? Also check whether any hybrid app answers on /_layouts/15/ on your intranet.
Install the April 2026 SharePoint Server update the day you find it. Microsoft has published version-specific KB numbers (2016, 2019, SE).
Verify the server is not exposed to the internet without a WAF or account requirement. If it is — close the exposure immediately.
Log into the Entra admin center and review the audit log for failed SharePoint authentications in the last 14 days.

How HaggeBurger can help

We run a 1–2 hour Quick Check that inventories your SharePoint and Exchange hybrid footprint and verifies patch state against the April advisory. If you want off on-prem entirely, our packaged Migration Accelerator moves you from inventory to full SharePoint Online migration in 2–4 weeks.

Want us to look at your environment? Email hej@haggeburger.se or book a short review at haggeburger.se/contact.