What is Microsoft SharePoint Server?
Microsoft SharePoint Server is an on-premises collaboration and document management platform deployed widely across enterprises, government agencies, and critical infrastructure organizations. It serves as an intranet portal, document repository, and workflow engine, typically integrated with Active Directory and storing sensitive corporate data. SharePoint's broad enterprise footprint and history of high-severity exploits make it a perennial target for nation-state actors, ransomware operators, and initial access brokers.
SharePoint Online (Microsoft 365) is not affected — this vulnerability is specific to on-premises deployments only.
Overview
CVE-2026-45659 is a deserialization of untrusted data vulnerability (CWE-502) in Microsoft SharePoint Server. An attacker who holds at least Site Member (low-privilege) permissions on a SharePoint site can craft a malicious serialized payload and submit it over the network, triggering arbitrary code execution in the context of the SharePoint service account.
Microsoft rated exploitation as "less likely" at time of initial disclosure, and no active exploitation was documented at patch release in May 2026. A public proof-of-concept appeared on GitHub post-disclosure. CISA added the vulnerability to the Known Exploited Vulnerabilities catalog on July 1, 2026 with an unusually tight three-day federal deadline, indicating confirmed in-the-wild exploitation.
SharePoint Server CVE-2026-32201 — a related zero-day — was actively exploited and added to the CISA KEV in April 2026, demonstrating the rapid weaponization pattern typical of SharePoint vulnerabilities.
Affected Versions
| Product | Vulnerable | Fixed Build | KB Article |
|---|---|---|---|
| SharePoint Server Subscription Edition | All builds prior to patch | 16.0.19725.20280 | KB5002863 |
| SharePoint Server 2019 | All builds prior to patch | 16.0.10417.20128 | KB5002870 |
| SharePoint Enterprise Server 2016 | All builds prior to patch | 16.0.5552.1002 | KB5002868 |
SharePoint Online (Microsoft 365) is unaffected.
Technical Details
The root cause is deserialization of untrusted data (CWE-502) in SharePoint's SPListItem handling path. SharePoint deserializes user-supplied data without adequate validation, enabling a low-privileged authenticated attacker to craft a malicious serialized object and submit it over the network to achieve arbitrary code execution.
Key attack characteristics:
- Authentication required: Low privilege (Site Member) is sufficient — no administrative rights needed
- Network vector: Exploitable remotely without physical access
- Complexity: Low — no special system knowledge required; exploit achieves repeatable success
- No user interaction: The vulnerability triggers server-side; the victim user need not take any action
Discovery
The vulnerability was reported by a researcher credited only as "MEOW" in Microsoft's advisory. Microsoft patched it on Patch Tuesday, May 12, 2026 as part of a broader update cycle.
Exploitation Context
No active exploitation was confirmed at the time of the May 2026 patch release. A public proof-of-concept (GitHub: mistbarbarianspot/CVE-2026-45659-SharePoint-RCE) appeared in the weeks following disclosure, lowering the barrier for exploitation.
CISA's addition to the KEV catalog on July 1, 2026 — with a 72-hour federal remediation deadline — signals confirmed exploitation in the wild. The rapid federal timeline is consistent with observed weaponization patterns on other recent SharePoint vulnerabilities, including the CVE-2026-32201 zero-day that preceded this disclosure by two months.
Remediation
- Apply patches immediately: Install the KB update for your SharePoint version — KB5002863 (Subscription Edition), KB5002870 (2019), KB5002868 (2016)
- Verify your deployment type: SharePoint Online is not affected; only on-premises deployments require action
- Audit SharePoint site permissions: Remove unnecessary Site Member access for external or low-trust accounts to limit the authenticated attack surface
- Review SharePoint service account privileges: Ensure the service account running SharePoint does not have excessive OS-level rights that would amplify post-exploitation impact
- Monitor for IOCs: Watch for unusual process spawning from SharePoint worker processes (
w3wp.exe); review IIS logs for anomalous POST requests to SharePoint endpoints, particularly to list item handling paths - Network isolation: Where feasible, restrict access to SharePoint from external or untrusted network segments
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2026-45659 |
| Vendor / Product | Microsoft — SharePoint Server |
| NVD Published | 2026-05-22 |
| NVD Last Modified | 2026-06-17 |
| CVSS 3.1 Score | 8.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-502 find similar ↗ |
| CISA KEV Added | 2026-07-01 |
| CISA KEV Deadline | 2026-07-04 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2026-05-12 | Microsoft patches released on Patch Tuesday (KB5002863 / KB5002870 / KB5002868) |
| 2026-05-22 | CVE published |
| 2026-07-01 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2026-07-04 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Microsoft Security Response Center — CVE-2026-45659 | Vendor Advisory |
| NVD — CVE-2026-45659 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Microsoft Patches SharePoint RCE Flaw — The Hacker News | Security News |
| Microsoft SharePoint Has a New RCE Flaw — Security Affairs | Security News |
| SharePoint Double Threat: CVE-2026-32201 Zero-Day and CVE-2026-45659 RCE — Apolo | Security Research |