KB5002861 is a critical security update released on April 14, 2026, for SharePoint Server 2016. This update addresses multiple security vulnerabilities including remote code execution and elevation of privilege issues that could allow attackers to compromise SharePoint environments.
Knowledge BaseKB5002861Microsoft SharePoint
KB5002861 — Security Update for SharePoint Server 2016
KB5002861 is a security update released on April 14, 2026, that addresses multiple vulnerabilities in SharePoint Server 2016, including remote code execution and elevation of privilege issues.
16 April 2026 9 min read —
KB5002861Microsoft SharePointSecurity Update 4 fixes 9 min SharePoint Server 2016 Enterprise +1Download
Quick Overview
PowerShell—Check if KB5002861 is installed
PS C:\> Get-HotFix -Id KB5002861# Returns patch details if KB5002861 is installed
Download Update
Download from Microsoft Update Catalog
Get the official update package directly from Microsoft
Diagnostic
Issue Description
Issue Description
This security update addresses several critical vulnerabilities in SharePoint Server 2016 that could be exploited by attackers to:
- Execute arbitrary code remotely on affected SharePoint servers
- Elevate privileges within the SharePoint environment
- Bypass authentication mechanisms in specific scenarios
- Access sensitive information through improper input validation
- Perform cross-site scripting attacks against SharePoint users
These vulnerabilities affect SharePoint Server 2016 installations running on Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, and Windows Server 2022. The issues primarily impact SharePoint web applications, Central Administration, and SharePoint services.
Analysis
Root Causes
Root Cause
The vulnerabilities stem from improper input validation in SharePoint Server 2016 components, insufficient access control checks in certain SharePoint services, and inadequate sanitization of user-supplied data in web parts and custom solutions. These security flaws allow malicious actors to exploit SharePoint's processing of specially crafted requests and content.
Overview
KB5002861 is a critical security update released on April 14, 2026, for SharePoint Server 2016. This update addresses multiple security vulnerabilities including remote code execution and elevation of privilege issues that could allow attackers to compromise SharePoint environments. The update applies to both SharePoint Server 2016 Enterprise and Standard editions running on supported Windows Server platforms.
Security Vulnerabilities Addressed
This security update resolves several critical vulnerabilities in SharePoint Server 2016 that could be exploited by attackers to:
- Execute arbitrary code remotely on affected SharePoint servers through malicious file uploads and web part exploitation
- Elevate privileges within the SharePoint environment to gain administrative access
- Bypass authentication mechanisms in SharePoint Central Administration and service applications
- Access sensitive information through improper input validation in lists and libraries
- Perform cross-site scripting attacks against SharePoint users through malicious content injection
These vulnerabilities affect SharePoint Server 2016 installations running on Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, and Windows Server 2022. The issues primarily impact SharePoint web applications, Central Administration, and core SharePoint services including the User Profile Service and Search Service Application.
Root Cause Analysis
The vulnerabilities stem from several security weaknesses in SharePoint Server 2016 components:
- Improper Input Validation: Insufficient validation of user-supplied data in web parts and custom solutions
- Access Control Issues: Inadequate permission checks in SharePoint Central Administration and service applications
- Authentication Bypass: Weak token validation in SharePoint Security Token Service (STS)
- Output Encoding Flaws: Improper sanitization of content in SharePoint lists and document libraries
Affected Systems
KB5002861 applies to the following SharePoint Server 2016 configurations:
| Product | Edition | Supported OS | Status |
|---|---|---|---|
| SharePoint Server 2016 | Enterprise | Windows Server 2012 R2 and later | Affected |
| SharePoint Server 2016 | Standard | Windows Server 2012 R2 and later | Affected |
| SharePoint Foundation 2016 | Foundation | Windows Server 2012 R2 and later | Affected |
Security Fixes Included
Remote Code Execution Vulnerability Fix
This update patches a critical remote code execution vulnerability in SharePoint Server 2016 web applications. The fix improves input validation for user-supplied data and strengthens security boundaries between SharePoint components. This prevents attackers from executing arbitrary code by uploading malicious files or exploiting web part vulnerabilities.
Components updated:
- SharePoint Foundation 2016 core libraries
- SharePoint Server 2016 web application framework
- SharePoint web parts processing engine
- File upload and validation mechanisms
Elevation of Privilege Protection
Addresses an elevation of privilege vulnerability that could allow authenticated users to gain administrative access to SharePoint Central Administration. The update implements proper access control validation and strengthens permission checks for administrative operations.
Security improvements:
- Enhanced permission validation for Central Administration access
- Improved authentication checks for administrative functions
- Strengthened role-based access control mechanisms
- Updated service application security boundaries
Cross-Site Scripting (XSS) Protection
Fixes multiple cross-site scripting vulnerabilities in SharePoint lists, document libraries, and custom web parts. The update improves input sanitization and output encoding to prevent malicious script injection attacks.
Areas protected:
- SharePoint list views and forms
- Document library metadata handling
- Custom web part content rendering
- Search result display components
- User profile information display
Authentication Bypass Prevention
Resolves authentication bypass vulnerabilities in SharePoint Server 2016 services that could allow unauthorized access to protected resources. The update enhances token validation and session management mechanisms.
Services updated:
- SharePoint Security Token Service (STS)
- Claims-based authentication components
- SharePoint service application framework
- User Profile Service authentication
- Search Service Application security
Installation and Deployment
KB5002861 is available through multiple deployment channels for SharePoint Server 2016 environments. Organizations should plan for a maintenance window as the update requires SharePoint services to restart during installation.
Microsoft Update Catalog
Download the update package directly from Microsoft Update Catalog for manual installation. The update file size is approximately 485 MB and requires local administrator privileges for installation. This method is suitable for single-server farms or environments where automated deployment is not available.
Enterprise Deployment Options
Windows Server Update Services (WSUS): Enterprise environments can deploy KB5002861 through WSUS by approving the update for SharePoint Server 2016 computer groups. The update will appear in the Microsoft SharePoint classification and can be scheduled for deployment during maintenance windows.
System Center Configuration Manager (SCCM): Deploy the update through SCCM software update management by synchronizing the Microsoft SharePoint updates catalog and creating deployment packages for affected SharePoint servers. This provides the most control over deployment timing and rollback capabilities.
Prerequisites and Requirements
Before installing KB5002861, ensure the following prerequisites are met:
- SharePoint Server 2016 with Service Pack 1 or later installed
- Windows Server 2012 R2 or later operating system
- Minimum 2 GB free disk space on system drive
- All SharePoint services must be running during installation
- SharePoint Configuration Wizard must be accessible
- SQL Server connectivity for SharePoint databases
Installation Requirements:
- Restart Required: Yes, SharePoint services restart required
- Installation Time: 15-30 minutes depending on farm size and server specifications
- Downtime: Minimal service interruption during installation and service restart
- Rollback: Supported through Windows Update uninstall process
Post-Installation Considerations
After installing KB5002861, administrators should verify that all SharePoint services are functioning correctly and monitor for any compatibility issues with custom solutions or third-party components. The update includes changes to SharePoint's security model that may affect custom web parts or applications that rely on deprecated APIs.
Note: Custom solutions should be tested in a development environment before deploying this security update to production SharePoint farms.
Resolution Methods
Key Fixes & Changes
01
Fixes remote code execution vulnerability in SharePoint web applications
This update patches a critical remote code execution vulnerability in SharePoint Server 2016 web applications. The fix improves input validation for user-supplied data and strengthens security boundaries between SharePoint components. This prevents attackers from executing arbitrary code by uploading malicious files or exploiting web part vulnerabilities.
Components updated:
- SharePoint Foundation 2016
- SharePoint Server 2016 web application framework
- SharePoint web parts processing engine
02
Resolves elevation of privilege issue in SharePoint Central Administration
Addresses an elevation of privilege vulnerability that could allow authenticated users to gain administrative access to SharePoint Central Administration. The update implements proper access control validation and strengthens permission checks for administrative operations.
Security improvements:
- Enhanced permission validation for Central Administration access
- Improved authentication checks for administrative functions
- Strengthened role-based access control mechanisms
03
Patches cross-site scripting vulnerabilities in SharePoint lists and libraries
Fixes multiple cross-site scripting (XSS) vulnerabilities in SharePoint lists, document libraries, and custom web parts. The update improves input sanitization and output encoding to prevent malicious script injection attacks.
Areas protected:
- SharePoint list views and forms
- Document library metadata handling
- Custom web part content rendering
- Search result display components
04
Strengthens authentication bypass protection in SharePoint services
Resolves authentication bypass vulnerabilities in SharePoint Server 2016 services that could allow unauthorized access to protected resources. The update enhances token validation and session management mechanisms.
Services updated:
- SharePoint Security Token Service (STS)
- Claims-based authentication components
- SharePoint service application framework
- User Profile Service authentication
Validation
Installation
Installation
KB5002861 is available through multiple deployment channels for SharePoint Server 2016 environments:
Microsoft Update Catalog
Download the update package directly from Microsoft Update Catalog for manual installation. The update file size is approximately 485 MB and requires local administrator privileges for installation.
Windows Server Update Services (WSUS)
Enterprise environments can deploy KB5002861 through WSUS by approving the update for SharePoint Server 2016 computer groups. The update will appear in the Microsoft SharePoint classification.
System Center Configuration Manager (SCCM)
Deploy the update through SCCM software update management by synchronizing the Microsoft SharePoint updates catalog and creating deployment packages for affected SharePoint servers.
Prerequisites
- SharePoint Server 2016 with Service Pack 1 or later
- Windows Server 2012 R2 or later operating system
- Minimum 2 GB free disk space on system drive
- All SharePoint services must be running during installation
Installation Requirements
- Restart Required: Yes, SharePoint services restart required
- Installation Time: 15-30 minutes depending on farm size
- Downtime: Minimal service interruption during installation
If it still fails
Known Issues
Known Issues
The following issues have been reported after installing KB5002861:
SharePoint Timer Service Restart Failure
In some environments, the SharePoint Timer Service may fail to restart automatically after update installation. This can cause scheduled jobs and workflows to stop functioning.
Workaround: Manually restart the SharePoint Timer Service using the following PowerShell command:
Restart-Service SPTimerV4Custom Web Parts Compatibility
Custom web parts that rely on deprecated APIs may experience compatibility issues after applying this security update. Web parts using unsafe input handling methods may require code updates.
Resolution: Review custom web part code for proper input validation and update to use SharePoint 2016 recommended security practices.
Search Service Application Issues
Some SharePoint farms may experience Search Service Application startup delays after installing the update. This typically resolves within 10-15 minutes as search components reinitialize.
Monitoring: Check SharePoint ULS logs for search-related errors and verify search topology health using SharePoint Central Administration.
Frequently Asked Questions
What does KB5002861 resolve?+
KB5002861 resolves multiple critical security vulnerabilities in SharePoint Server 2016, including remote code execution, elevation of privilege, cross-site scripting, and authentication bypass issues that could allow attackers to compromise SharePoint environments.
Which systems require KB5002861?+
KB5002861 is required for all SharePoint Server 2016 installations, including Enterprise, Standard, and Foundation editions running on Windows Server 2012 R2 or later operating systems.
Is KB5002861 a security update?+
Yes, KB5002861 is a critical security update that addresses multiple vulnerabilities in SharePoint Server 2016. It should be installed as soon as possible to protect against potential security exploits.
What are the prerequisites for KB5002861?+
Prerequisites include SharePoint Server 2016 with Service Pack 1 or later, Windows Server 2012 R2 or newer, minimum 2 GB free disk space, and all SharePoint services running during installation.
Are there known issues with KB5002861?+
Known issues include potential SharePoint Timer Service restart failures, custom web parts compatibility problems with deprecated APIs, and temporary Search Service Application startup delays that typically resolve within 10-15 minutes.
References (2)
1
Mises à jour de sécurité de SharePoint Server 2016Documentation officielle de Microsoft pour les mises à jour de sécurité de SharePoint Server 2016 et les conseils de déploiementhttps://support.microsoft.com/help/sharepoint-server-2016-security-updates
2Centre de réponse de sécurité MicrosoftCentre de réponse de sécurité Microsoft pour les avis de sécurité et les informations sur les vulnérabilitéshttps://msrc.microsoft.com
Discussion
Share your thoughts and insights
Sign in to join the discussion
More Articles
Related KB Articles
Security Update
Microsoft SharePoi...
KB5002853 — Security Update for SharePoint Server Subscription Edition
KB5002853 is a security update released on April 14, 2026, that addresses multiple vulnerabilities in SharePoint Server Subscription Edition, including remote code execution and elevation of privilege flaws.
April 1612 min
Security Update
Microsoft SharePoi...
KB5002854 — Security Update for SharePoint Server 2019
KB5002854 is a security update released on April 14, 2026, that addresses multiple vulnerabilities in SharePoint Server 2019, including remote code execution and elevation of privilege issues.
April 169 min
Security Update
Microsoft SharePoi...
KB5002862 — Security Update for SharePoint Server 2016 Language Pack
KB5002862 is a security update released April 14, 2026, that addresses critical vulnerabilities in SharePoint Server 2016 Language Pack components, including remote code execution and privilege escalation flaws.
April 169 min