CVE-2026-45659 — Microsoft SharePoint Server Deserialization of Untrusted Data Vulnerability

CVE-2026-45659

Microsoft SharePoint Server — Authenticated Deserialization Remote Code Execution

What is Microsoft SharePoint Server?

Microsoft SharePoint Server is an on-premises collaboration and document management platform deployed widely across enterprises, government agencies, and critical infrastructure organizations. It serves as an intranet portal, document repository, and workflow engine, typically integrated with Active Directory and storing sensitive corporate data. SharePoint's broad enterprise footprint and history of high-severity exploits make it a perennial target for nation-state actors, ransomware operators, and initial access brokers.

SharePoint Online (Microsoft 365) is not affected — this vulnerability is specific to on-premises deployments only.

Overview

CVE-2026-45659 is a deserialization of untrusted data vulnerability (CWE-502) in Microsoft SharePoint Server. An attacker who holds at least Site Member (low-privilege) permissions on a SharePoint site can craft a malicious serialized payload and submit it over the network, triggering arbitrary code execution in the context of the SharePoint service account.

Microsoft rated exploitation as "less likely" at time of initial disclosure, and no active exploitation was documented at patch release in May 2026. A public proof-of-concept appeared on GitHub post-disclosure. CISA added the vulnerability to the Known Exploited Vulnerabilities catalog on July 1, 2026 with an unusually tight three-day federal deadline, indicating confirmed in-the-wild exploitation.

SharePoint Server CVE-2026-32201 — a related zero-day — was actively exploited and added to the CISA KEV in April 2026, demonstrating the rapid weaponization pattern typical of SharePoint vulnerabilities.

Affected Versions

Product Vulnerable Fixed Build KB Article
SharePoint Server Subscription Edition All builds prior to patch 16.0.19725.20280 KB5002863
SharePoint Server 2019 All builds prior to patch 16.0.10417.20128 KB5002870
SharePoint Enterprise Server 2016 All builds prior to patch 16.0.5552.1002 KB5002868

SharePoint Online (Microsoft 365) is unaffected.

Technical Details

The root cause is deserialization of untrusted data (CWE-502) in SharePoint's SPListItem handling path. SharePoint deserializes user-supplied data without adequate validation, enabling a low-privileged authenticated attacker to craft a malicious serialized object and submit it over the network to achieve arbitrary code execution.

Key attack characteristics:

  • Authentication required: Low privilege (Site Member) is sufficient — no administrative rights needed
  • Network vector: Exploitable remotely without physical access
  • Complexity: Low — no special system knowledge required; exploit achieves repeatable success
  • No user interaction: The vulnerability triggers server-side; the victim user need not take any action

Discovery

The vulnerability was reported by a researcher credited only as "MEOW" in Microsoft's advisory. Microsoft patched it on Patch Tuesday, May 12, 2026 as part of a broader update cycle.

Exploitation Context

No active exploitation was confirmed at the time of the May 2026 patch release. A public proof-of-concept (GitHub: mistbarbarianspot/CVE-2026-45659-SharePoint-RCE) appeared in the weeks following disclosure, lowering the barrier for exploitation.

CISA's addition to the KEV catalog on July 1, 2026 — with a 72-hour federal remediation deadline — signals confirmed exploitation in the wild. The rapid federal timeline is consistent with observed weaponization patterns on other recent SharePoint vulnerabilities, including the CVE-2026-32201 zero-day that preceded this disclosure by two months.

Remediation

  1. Apply patches immediately: Install the KB update for your SharePoint version — KB5002863 (Subscription Edition), KB5002870 (2019), KB5002868 (2016)
  2. Verify your deployment type: SharePoint Online is not affected; only on-premises deployments require action
  3. Audit SharePoint site permissions: Remove unnecessary Site Member access for external or low-trust accounts to limit the authenticated attack surface
  4. Review SharePoint service account privileges: Ensure the service account running SharePoint does not have excessive OS-level rights that would amplify post-exploitation impact
  5. Monitor for IOCs: Watch for unusual process spawning from SharePoint worker processes (w3wp.exe); review IIS logs for anomalous POST requests to SharePoint endpoints, particularly to list item handling paths
  6. Network isolation: Where feasible, restrict access to SharePoint from external or untrusted network segments

Key Details

PropertyValue
CVE ID CVE-2026-45659
Vendor / Product Microsoft — SharePoint Server
NVD Published2026-05-22
NVD Last Modified2026-06-17
CVSS 3.1 Score8.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-502 find similar ↗
CISA KEV Added2026-07-01
CISA KEV Deadline2026-07-04
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2026-07-04. Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA's BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA's "Forensics Triage Requirements" (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Timeline

DateEvent
2026-05-12Microsoft patches released on Patch Tuesday (KB5002863 / KB5002870 / KB5002868)
2026-05-22CVE published
2026-07-01Added to CISA Known Exploited Vulnerabilities catalog
2026-07-04CISA BOD 22-01 remediation deadline