Back to News
SharePoint OnlineJuly 6, 2026

SharePoint Online Weekly Update — July 6, 2026

Microsoft unveils SharePoint Copilot Apps ahead of a July public preview, a critical SharePoint Server RCE lands on CISA's exploited-vulnerabilities list, and two long-running retirements approach their deadlines.

SharePoint Copilot Apps Heads Into Public Preview

The headline story from the SharePoint Framework (SPFx) team this month is the arrival of SharePoint Copilot Apps, a new model for building Copilot-connected experiences directly on the Microsoft 365 Copilot canvas. Rather than building a standalone web part, developers will be able to surface SPFx-based data and actions as first-class components inside Copilot itself, reusing existing SPFx skills and tooling to reach AI-powered scenarios faster.

Public preview begins this month, with general availability targeted for later in 2026. Microsoft has described the feature as connecting business data and user experiences into intelligent workflows that span SharePoint, Teams, and Viva — extending SPFx investments into the places where users already work. The working name may still change before GA.

What to do: If your team maintains custom SPFx solutions, start reviewing the developer preview materials now so you're positioned to pilot Copilot Apps once preview access opens. No immediate tenant-level action is required.

SPFx 1.23.2 Ships as a Quality-Focused Release

Alongside the Copilot Apps announcement, Microsoft shipped SPFx 1.23.2, a release focused on stability rather than new features. It addresses a set of reported platform issues, resolves npm audit vulnerability findings in the build toolchain, and lays groundwork for an upcoming capability that lets developers override the new-item and edit panels in lists and libraries (server-side support arrives later this month).

Microsoft is also continuing work toward React 18 support for SPFx solutions, expected to land around the general availability of SPFx 1.24 in September. Out-of-the-box web parts will move to React 18 only once that work is complete; custom web parts can adopt it sooner.

What to do: Developers should update to 1.23.2 in build pipelines to pick up the security and dependency fixes, and start planning for the panel-override and React 18 changes coming later this year.

Critical SharePoint Server RCE Added to CISA's Known Exploited Vulnerabilities List

CVE-2026-45659, a remote code execution flaw in on-premises SharePoint Server (Subscription Edition, 2019, and Enterprise 2016) stemming from deserialization of untrusted data, was added to CISA's Known Exploited Vulnerabilities catalog in early July after confirmed active exploitation. The CVSS score is 8.8, and notably an attacker needs only Site Member-level permissions — not admin access — to trigger it over the network.

Microsoft's original advisory rated exploitation as "less likely," but CISA's listing contradicts that assessment. Patches shipped in May, and CISA required federal agencies to remediate by July 4. Observed post-exploitation activity includes lateral movement, persistence via legitimate remote-access tools, and privilege escalation to domain admin.

What to do: This affects on-premises SharePoint Server, not SharePoint Online directly — but if your organization runs any hybrid or on-prem SharePoint farms, confirm the May patches are applied immediately and review for signs of compromise if patching was delayed.

Microsoft 365 Archive Adds File-Level Archiving

Microsoft is rolling out file-level archiving for Microsoft 365 Archive this month, extending the capability beyond whole-site archiving. Previously, archiving a SharePoint site meant moving the entire site to a lower-cost storage tier. The new option lets admins archive individual files within an active site, giving finer-grained control over storage costs without disrupting collaboration on the rest of the site.

This complements the broader push toward storage governance tools Microsoft has been building into the SharePoint admin center, including the SharePoint Admin Agent's ability to surface storage governance opportunities.

What to do: Storage and IT admins managing large SharePoint estates should evaluate file-level archiving as a lower-friction alternative to full-site archiving for content that's aging out but still occasionally referenced.

Two Retirement Deadlines Converge This Month

Two previously announced retirements are worth a reminder as they reach or approach their deadlines. InfoPath Client 2013 and InfoPath Forms Services in SharePoint Online retire on July 14, 2026 — a hard deadline Microsoft has signaled for years. Any remaining InfoPath-based forms need to move to Power Apps, Power Automate, or Microsoft Forms before then.

Separately, Microsoft confirmed that Remote Event Receivers (RERs) registered via Microsoft Entra applications will stop firing events after July 1, 2027. RERs registered through the older Azure ACS model already stopped working in April 2026. The recommended replacement is SharePoint webhooks or Microsoft Graph change notifications — both asynchronous, HTTP-based models that are simpler to operate than the legacy WCF-based RER approach, though they can no longer block or cancel an action the way synchronous RER events could.

What to do: Inventory any InfoPath forms immediately — July 14 is nearly here. Separately, start cataloging any code that still depends on Remote Event Receivers so migration to webhooks or Graph change notifications isn't a last-minute scramble next year.


Sources

Need help navigating these changes?

Kiiro specializes in hands-on Microsoft 365 implementation and AI readiness planning. Let's talk about what these updates mean for your organization.

Talk to Our Team