← Blog · · df00tech

CVE-2026-56155: Actively Exploited Access Control Flaw in Microsoft AD FS

vuln-intel Microsoft CVE-2026-56155

What's Happening

CVE-2026-56155 is an insufficient granularity of access control vulnerability (CWE-1220) in Microsoft Active Directory Federation Services (AD FS). The root cause lies in coarse-grained authorization decisions within the AD FS relying party trust and claims pipeline: an authenticated actor with limited privileges can obtain access to federated resources or claims beyond their intended scope. In practice, this can enable federation token issuance for applications the actor was never authorized to access, or privilege escalation across trusted relying parties — a serious problem for any organization using AD FS as a federation trust anchor.

Affected Software

  • Vendor: Microsoft
  • Product: Active Directory Federation Services

No specific affected version range or patch date has been published at this time.

Exploitation Status

CVE-2026-56155 is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. Disclosed on 2026-07-14, this is not a theoretical issue — defenders should treat it as an immediate, active threat and prioritize monitoring and hardening of AD FS infrastructure rather than waiting on patch guidance.

How Our Detection Catches It

Our detection for CVE-2026-56155 focuses on behavioral anomalies in the AD FS token issuance and trust configuration surface rather than a single exploit signature, since the vulnerability abuses legitimate AD FS functionality with insufficient scoping. Logic centers on:

  • Anomalous AD FS token issuance patterns, including tokens issued for relying parties outside a user's or service's established baseline
  • Unexpected access to relying party trusts that fall outside normal claims-based access patterns
  • Modifications to claims rules, which can indicate an actor attempting to widen scope or persist access
  • AD FS admin and service account activity that deviates from historical behavior baselines

This detection logic is available across KQL (Microsoft Sentinel), SPL (Splunk), Elastic EQL, QRadar AQL, Sumo Logic, Chronicle YARA-L, and CrowdStrike CQL, so teams can deploy consistent coverage regardless of their primary SIEM.

Get the Full Detection

For the complete query logic, MITRE ATT&CK mapping, and platform-specific rules, see the full detection page for CVE-2026-56155.

Get new detections in your inbox

New ATT&CK coverage plus CISA KEV / CVE detection rules, roughly weekly. No spam, unsubscribe anytime.