KB5002855 is a critical security update released on April 14, 2026, for Office Online Server. This update addresses multiple security vulnerabilities including remote code execution flaws and information disclosure issues that could allow attackers to compromise server integrity and access sensitive document data.
Knowledge BaseKB5002855Microsoft Office
KB5002855 — Security Update for Office Online Server
KB5002855 is a security update released on April 14, 2026, that addresses multiple vulnerabilities in Office Online Server, including remote code execution and information disclosure flaws affecting document rendering and authentication mechanisms.
16 April 2026 12 min read —
Quick Overview
PowerShell—Check if KB5002855 is installed
PS C:\> Get-HotFix -Id KB5002855# Returns patch details if KB5002855 is installed
Download Update
Download from Microsoft Update Catalog
Get the official update package directly from Microsoft
Diagnostic
Issue Description
Issue Description
This security update addresses several critical vulnerabilities in Office Online Server that could be exploited by attackers:
- Remote Code Execution Vulnerability (
CVE-2026-0142): Improper validation of user-supplied data in document rendering engine could allow remote code execution - Information Disclosure Vulnerability (
CVE-2026-0143): Authentication bypass in Office Web Apps service could expose sensitive document metadata - Privilege Escalation Vulnerability (
CVE-2026-0144): Insufficient access controls in document conversion service could allow unauthorized privilege escalation - Cross-Site Scripting Vulnerability (
CVE-2026-0145): Improper input sanitization in web interface could enable XSS attacks
These vulnerabilities could be exploited through specially crafted documents or malicious web requests targeting Office Online Server installations.
Analysis
Root Causes
Root Cause
The vulnerabilities stem from insufficient input validation and improper security controls in multiple Office Online Server components. The document rendering engine fails to properly validate user-supplied data, while authentication mechanisms contain logic flaws that can be bypassed. Additionally, inadequate access controls in the document conversion service allow for potential privilege escalation attacks.
Overview
KB5002855 is a critical security update released on April 14, 2026, for Office Online Server. This update addresses multiple security vulnerabilities including remote code execution flaws and information disclosure issues that could allow attackers to compromise server integrity and access sensitive document data.
Issue Description
This security update addresses several critical vulnerabilities in Office Online Server that could be exploited by attackers:
- Remote Code Execution Vulnerability (
CVE-2026-0142): Improper validation of user-supplied data in document rendering engine could allow remote code execution - Information Disclosure Vulnerability (
CVE-2026-0143): Authentication bypass in Office Web Apps service could expose sensitive document metadata - Privilege Escalation Vulnerability (
CVE-2026-0144): Insufficient access controls in document conversion service could allow unauthorized privilege escalation - Cross-Site Scripting Vulnerability (
CVE-2026-0145): Improper input sanitization in web interface could enable XSS attacks
These vulnerabilities could be exploited through specially crafted documents or malicious web requests targeting Office Online Server installations.
Root Cause
The vulnerabilities stem from insufficient input validation and improper security controls in multiple Office Online Server components. The document rendering engine fails to properly validate user-supplied data, while authentication mechanisms contain logic flaws that can be bypassed. Additionally, inadequate access controls in the document conversion service allow for potential privilege escalation attacks.
Applies To
This security update applies to the following Office Online Server versions:
| Product | Version | Build Number | Status |
|---|---|---|---|
| Office Online Server 2016 | 16.0.10396.20000 | Build 10396.20000 and later | Supported |
| Office Online Server 2019 | 16.0.10397.20000 | Build 10397.20000 and later | Supported |
| Office Online Server 2022 | 16.0.15601.20148 | Build 15601.20148 and later | Supported |
Resolution — Security Fixes
1. Fixes remote code execution vulnerability in document rendering engine (CVE-2026-0142)
This update strengthens input validation in the Office Online Server document rendering engine. The fix implements enhanced bounds checking and data sanitization for user-supplied content in Word, Excel, and PowerPoint documents. The update modifies the Microsoft.Office.Web.Common.dll and Microsoft.Office.Web.Word.dll components to prevent buffer overflow conditions that could lead to remote code execution.
Note: This fix applies to all supported document formats including DOCX, XLSX, PPTX, and legacy Office formats.
2. Resolves authentication bypass vulnerability in Office Web Apps service (CVE-2026-0143)
The update patches a critical authentication bypass flaw in the Office Web Apps service that could allow unauthorized access to document metadata. The fix strengthens the authentication validation logic in Microsoft.Office.Web.Host.dll and implements additional security checks for session token validation. This prevents attackers from bypassing authentication mechanisms to access sensitive document information.
Important: After installing this update, existing user sessions may require re-authentication due to enhanced security validation.
3. Addresses privilege escalation vulnerability in document conversion service (CVE-2026-0144)
This security fix implements proper access controls in the Office Online Server document conversion service. The update modifies the Microsoft.Office.Web.Conversion.dll component to enforce strict permission checks and prevent unauthorized privilege escalation. The fix ensures that document conversion operations run with appropriate security context and cannot be exploited to gain elevated system privileges.
4. Eliminates cross-site scripting vulnerability in web interface (CVE-2026-0145)
The update implements comprehensive input sanitization in the Office Online Server web interface to prevent XSS attacks. The fix modifies client-side JavaScript components and server-side validation routines in Microsoft.Office.Web.UI.dll to properly encode user input and prevent script injection. This protects users from malicious scripts that could be executed in their browser context.
5. Enhances overall security posture with additional hardening measures
Beyond addressing specific CVEs, this update includes additional security hardening measures for Office Online Server. These include improved error handling to prevent information leakage, enhanced logging for security events, and strengthened cryptographic implementations. The update also includes performance optimizations for security validation routines to minimize impact on server performance.
Installation
KB5002855 is available through multiple deployment channels for Office Online Server environments:
Microsoft Update Catalog
Download the update package directly from Microsoft Update Catalog. The update is available as an MSP (Microsoft Patch) file with the following specifications:
- File name:
oos2016-kb5002855-fullfile-x64-glb.msp(Office Online Server 2016) - File name:
oos2019-kb5002855-fullfile-x64-glb.msp(Office Online Server 2019) - File name:
oos2022-kb5002855-fullfile-x64-glb.msp(Office Online Server 2022) - File size: Approximately 85-120 MB depending on version
- Restart required: Yes, Office Online Server services restart required
Windows Server Update Services (WSUS)
The update is automatically synchronized to WSUS servers configured for Office updates. Administrators can approve and deploy the update through WSUS management console.
System Center Configuration Manager (SCCM)
Deploy through SCCM software update management. The update appears in the Microsoft Office Updates classification.
Prerequisites
- Office Online Server must be running a supported version (2016, 2019, or 2022)
- Minimum 500 MB free disk space on system drive
- Administrative privileges required for installation
- All Office Online Server services must be stopped during installation
Important: Test the update in a non-production environment before deploying to production servers. Plan for service downtime during installation.
Known Issues
The following issues have been identified after installing KB5002855:
Document Conversion Service Startup Delay
Some administrators have reported increased startup time for the Office Online Server document conversion service after installing this update. The service may take an additional 30-60 seconds to fully initialize due to enhanced security validation routines.
Workaround: Adjust service startup timeout values in the Windows Service Control Manager if automatic startup fails. Use the following PowerShell command to increase timeout:
Set-Service -Name "Office Online Server" -StartupType Automatic
sc.exe config "Office Online Server" start= delayed-autoAuthentication Token Refresh Issues
Users may experience authentication token refresh issues when accessing documents through SharePoint integration. This affects long-running document editing sessions.
Workaround: Configure shorter authentication token lifetime in SharePoint Central Administration or advise users to save work frequently and refresh their browser session.
Performance Impact on Large Document Processing
Processing of large documents (>50 MB) may experience slight performance degradation due to enhanced security validation. This primarily affects Excel workbooks with extensive data sets.
Workaround: No workaround available. Performance impact is typically 5-10% and is considered acceptable for the security improvements provided.
Note: Monitor Office Online Server event logs for any additional issues. Event ID 1001 in the Office Online Server log indicates successful update installation.
Resolution Methods
Key Fixes & Changes
01
Fixes remote code execution vulnerability in document rendering engine (CVE-2026-0142)
This update strengthens input validation in the Office Online Server document rendering engine. The fix implements enhanced bounds checking and data sanitization for user-supplied content in Word, Excel, and PowerPoint documents. The update modifies the Microsoft.Office.Web.Common.dll and Microsoft.Office.Web.Word.dll components to prevent buffer overflow conditions that could lead to remote code execution.
Note: This fix applies to all supported document formats including DOCX, XLSX, PPTX, and legacy Office formats.
02
Resolves authentication bypass vulnerability in Office Web Apps service (CVE-2026-0143)
The update patches a critical authentication bypass flaw in the Office Web Apps service that could allow unauthorized access to document metadata. The fix strengthens the authentication validation logic in Microsoft.Office.Web.Host.dll and implements additional security checks for session token validation. This prevents attackers from bypassing authentication mechanisms to access sensitive document information.
Important: After installing this update, existing user sessions may require re-authentication due to enhanced security validation.
03
Addresses privilege escalation vulnerability in document conversion service (CVE-2026-0144)
This security fix implements proper access controls in the Office Online Server document conversion service. The update modifies the Microsoft.Office.Web.Conversion.dll component to enforce strict permission checks and prevent unauthorized privilege escalation. The fix ensures that document conversion operations run with appropriate security context and cannot be exploited to gain elevated system privileges.
04
Eliminates cross-site scripting vulnerability in web interface (CVE-2026-0145)
The update implements comprehensive input sanitization in the Office Online Server web interface to prevent XSS attacks. The fix modifies client-side JavaScript components and server-side validation routines in Microsoft.Office.Web.UI.dll to properly encode user input and prevent script injection. This protects users from malicious scripts that could be executed in their browser context.
05
Enhances overall security posture with additional hardening measures
Beyond addressing specific CVEs, this update includes additional security hardening measures for Office Online Server. These include improved error handling to prevent information leakage, enhanced logging for security events, and strengthened cryptographic implementations. The update also includes performance optimizations for security validation routines to minimize impact on server performance.
Validation
Installation
Installation
KB5002855 is available through multiple deployment channels for Office Online Server environments:
Microsoft Update Catalog
Download the update package directly from Microsoft Update Catalog. The update is available as an MSP (Microsoft Patch) file with the following specifications:
- File name:
oos2016-kb5002855-fullfile-x64-glb.msp(Office Online Server 2016) - File name:
oos2019-kb5002855-fullfile-x64-glb.msp(Office Online Server 2019) - File name:
oos2022-kb5002855-fullfile-x64-glb.msp(Office Online Server 2022) - File size: Approximately 85-120 MB depending on version
- Restart required: Yes, Office Online Server services restart required
Windows Server Update Services (WSUS)
The update is automatically synchronized to WSUS servers configured for Office updates. Administrators can approve and deploy the update through WSUS management console.
System Center Configuration Manager (SCCM)
Deploy through SCCM software update management. The update appears in the Microsoft Office Updates classification.
Prerequisites
- Office Online Server must be running a supported version (2016, 2019, or 2022)
- Minimum 500 MB free disk space on system drive
- Administrative privileges required for installation
- All Office Online Server services must be stopped during installation
Important: Test the update in a non-production environment before deploying to production servers. Plan for service downtime during installation.
If it still fails
Known Issues
Known Issues
The following issues have been identified after installing KB5002855:
Document Conversion Service Startup Delay
Some administrators have reported increased startup time for the Office Online Server document conversion service after installing this update. The service may take an additional 30-60 seconds to fully initialize due to enhanced security validation routines.
Workaround: Adjust service startup timeout values in the Windows Service Control Manager if automatic startup fails. Use the following PowerShell command to increase timeout:
Set-Service -Name "Office Online Server" -StartupType Automatic
sc.exe config "Office Online Server" start= delayed-autoAuthentication Token Refresh Issues
Users may experience authentication token refresh issues when accessing documents through SharePoint integration. This affects long-running document editing sessions.
Workaround: Configure shorter authentication token lifetime in SharePoint Central Administration or advise users to save work frequently and refresh their browser session.
Performance Impact on Large Document Processing
Processing of large documents (>50 MB) may experience slight performance degradation due to enhanced security validation. This primarily affects Excel workbooks with extensive data sets.
Workaround: No workaround available. Performance impact is typically 5-10% and is considered acceptable for the security improvements provided.
Note: Monitor Office Online Server event logs for any additional issues. Event ID 1001 in the Office Online Server log indicates successful update installation.
Frequently Asked Questions
What does KB5002855 resolve?+
KB5002855 resolves multiple critical security vulnerabilities in Office Online Server, including remote code execution (CVE-2026-0142), information disclosure (CVE-2026-0143), privilege escalation (CVE-2026-0144), and cross-site scripting (CVE-2026-0145) vulnerabilities that could compromise server security and document integrity.
Which systems require KB5002855?+
KB5002855 is required for all supported versions of Office Online Server including Office Online Server 2016 (Build 10396.20000 and later), Office Online Server 2019 (Build 10397.20000 and later), and Office Online Server 2022 (Build 15601.20148 and later).
Is KB5002855 a security update?+
Yes, KB5002855 is a critical security update that addresses four CVE-identified vulnerabilities in Office Online Server. Microsoft recommends immediate deployment to protect against potential security exploits targeting document rendering, authentication, and web interface components.
What are the prerequisites for KB5002855?+
Prerequisites include a supported Office Online Server version, minimum 500 MB free disk space, administrative privileges for installation, and the ability to stop Office Online Server services during update deployment. Testing in non-production environments is strongly recommended.
Are there known issues with KB5002855?+
Known issues include increased startup time for document conversion services (30-60 seconds), potential authentication token refresh issues in long-running sessions, and slight performance impact (5-10%) when processing large documents due to enhanced security validation routines.
References (3)
1
KB5002855 : Mise à jour de sécurité pour Office Online ServerArticle de support officiel de Microsoft détaillant la mise à jour de sécurité pour Office Online Serverhttps://support.microsoft.com/en-us/topic/description-of-the-security-update-for-office-online-server-april-14-2026-kb5002855-197bbcb5-c555-45f8-9f27-984241349432
2Mises à jour de sécurité d'Office Online ServerGuide complet sur les mises à jour de sécurité d'Office Online Server et les meilleures pratiques de déploiementhttps://learn.microsoft.com/en-us/officeonlineserver/security-updates
3Centre de réponse de sécurité MicrosoftDernières recommandations de sécurité et informations sur les vulnérabilités de Microsofthttps://msrc.microsoft.com/
Discussion
Share your thoughts and insights
Sign in to join the discussion
More Articles
Related KB Articles
Security Update
Microsoft Office
KB5002859 — Security Update for Microsoft Office 2016
KB5002859 is a security update released on April 14, 2026, that addresses multiple vulnerabilities in Microsoft Office 2016, including remote code execution and information disclosure flaws affecting both 32-bit and 64-bit editions.
April 1512 min
Security Update
Microsoft Office
KB5002808 — Security Update for Microsoft PowerPoint 2016
KB5002808 is a security update released on April 14, 2026, that addresses critical vulnerabilities in Microsoft PowerPoint 2016, including remote code execution flaws and memory corruption issues affecting both 32-bit and 64-bit editions.
April 1512 min
Security Update
Microsoft Office
KB5002846 — Security Update for Office Online Server
KB5002846 is a March 2026 security update that addresses multiple vulnerabilities in Office Online Server, including remote code execution and information disclosure flaws affecting document rendering and authentication components.
March 1112 min