As part of the April 2026 Patch Tuesday, Microsoft fixed a SharePoint Server flaw that was already being exploited when the patch shipped. CVE-2026-32201 is a spoofing vulnerability that Microsoft flagged as “Exploitation Detected”, meaning there was evidence of active attacks before a public fix existed.
What the vulnerability is
The problem sits in input validation within Microsoft Office SharePoint Server. Improper validation lets an attacker carry out spoofing attacks over the network. According to Microsoft’s advisory, a successful attacker can view some of the sensitive information the server handles and modify data shown to the victim. It affects confidentiality and integrity, but it does not give full control of the resource or take it offline.
The CVSS score is 6.5, a medium severity. This is not the kind of critical RCE that hands over a server in one shot. What changes the picture is that it was under active exploitation. A medium-rated flaw with working exploits in the wild matters more than a theoretical critical one that nobody has touched yet.
Who it affects
The target is Microsoft SharePoint Server, the product many organizations run as an intranet, document store and collaboration portal. The risk concentrates on internet-facing SharePoint servers. An internal server behind the corporate network has a much smaller attack surface, but externally reachable installs are the direct target of campaigns like this one.
SharePoint runs on Windows Server, so anyone maintaining a public-facing SharePoint farm should treat this patch as a priority. If you manage the underlying platform, review the Windows Server security notes as well.
Severity and context
This CVE did not arrive alone. It was part of one of the largest Patch Tuesdays in Microsoft’s history, with 167 flaws fixed on 14 April 2026 and two zero-days. The other zero-day in that batch was a privilege escalation to SYSTEM in Microsoft Defender, publicly disclosed but with no confirmed exploitation. CVE-2026-32201 is the one that was actually being used.
That difference matters when you set priorities. A spoofing attack on SharePoint can serve as one link in a longer chain: misleading a user about the origin of content, exposing information that should be restricted, or manipulating what the victim sees to set up the next move. The flaw does not need to hand over the server on its own to be useful to an attacker.
Mitigation and patch
The action is straightforward: apply the April 2026 security update for your version of SharePoint Server. Microsoft offers no alternative mitigation that replaces the patch, so the advice is to deploy it as soon as possible, starting with internet-facing servers.
If your organization runs a testing process before pushing patches to production, this is a case for tightening the timeline. Active exploitation plus public-facing servers leaves little room. While you deploy, check logs for unusual access or requests against your SharePoint instances, in case attempts already happened.