SharePoint CVE-2026-45659 Critical RCE CVSS 8.8

Microsoft has addressed CVE-2026-45659, a critical remote code execution (RCE) vulnerability impacting SharePoint Server across multiple versions. This flaw, assigned a CVSS score of 8.8, stems from a deserialization of untrusted data issue, potentially allowing an authenticated attacker to execute arbitrary code over a network without requiring specialized conditions.

The vulnerability's high severity comes from its potential for network-based exploitation by an authenticated attacker possessing only Site Member permissions. No administrator or other elevated privileges are necessary for successful exploitation. While Microsoft indicates that CVE-2026-45659 is currently "less likely to be exploited," the vendor strongly advises immediate patching due to the history of SharePoint vulnerabilities being weaponized in real-world attacks.

Security updates rolled out on May 26, 2026, targeting SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Organizations using these versions should apply the necessary fixes promptly to reduce the risk of compromise. The vulnerability was discovered and reported by the researcher MEOW.

Impact

Successful exploitation of CVE-2026-45659 could enable an attacker to achieve remote code execution on the compromised SharePoint Server. This allows an attacker to execute arbitrary commands at the privilege level of the SharePoint application pool or the underlying operating system service account. Such control provides a basis for a range of malicious activities, significantly impacting data confidentiality, integrity, and availability.

Organizations using affected SharePoint Server versions are directly at risk. An attacker could gain full control over the SharePoint environment, including access to all stored documents, user data, and configurations. This can extend to the underlying server infrastructure, allowing for lateral movement within the network, establishment of persistence mechanisms, or deployment of additional malware. The CVSS score of 8.8 reflects the severe consequences associated with this network-based RCE vulnerability, especially considering the broad scope of data and services typically hosted on SharePoint.

Compromise of a SharePoint Server often leads to severe business disruption. This includes potential data exfiltration of sensitive organizational information, data manipulation, or complete denial of service for critical collaboration platforms. The ability to achieve RCE from an authenticated user with minimum Site Member permissions lowers the bar for potential attackers, increasing the overall risk profile for unpatched systems.

Exploitation Chain

CVE-2026-45659 uses a deserialization of untrusted data vulnerability within Microsoft Office SharePoint. The attack vector is network-based; an attacker can initiate the exploit remotely over the network, rather than requiring direct physical access or user interaction beyond standard SharePoint functionality.

A critical precondition for exploitation is that the attacker must be authenticated to the SharePoint Server. However, the privilege requirement is minimal, needing only Site Member permissions. This means a standard user account, not necessarily an administrator or an account with elevated privileges, can serve as the entry point for this RCE. The flaw does not require any specialized conditions to be met, simplifying the attacker's path to compromise once authenticated access is obtained.

Deserialization vulnerabilities occur when an application attempts to reconstruct a data structure from an untrusted data stream without adequate validation. If malicious data is injected into this stream, the application may execute arbitrary code during the deserialization process. For CVE-2026-45659, this mechanism allows the authenticated attacker to submit specially crafted data to the SharePoint application, which, upon deserialization, triggers the execution of attacker-controlled code on the server. The researcher MEOW is credited with discovering and reporting this specific flaw.

While Microsoft has indicated that CVE-2026-45659 is "less likely to be exploited" in the wild at the time of patch release, this assessment should not diminish the urgency of remediation. The history of SharePoint vulnerabilities, including previous critical RCEs that have been actively weaponized, shows the importance of proactive patching. For instance, PurpleOps has previously covered emergency fixes for SharePoint RCE zero-day attacks, demonstrating the platform's recurring status as a target for sophisticated threats. Another significant example includes CVE-2026-32201, a spoofing vulnerability impacting Microsoft SharePoint Server that was actively exploited in the wild, as reported in the month prior to the disclosure of CVE-2026-45659. These precedents reinforce the need for immediate attention to all security updates, including those not yet observed in active exploitation.

Which SharePoint versions are affected by CVE-2026-45659?

CVE-2026-45659 impacts multiple versions of Microsoft SharePoint Server. Organizations must identify installations of these products within their environment to assess exposure and prioritize patching efforts.

The following SharePoint Server product lines and their respective versions are affected by this remote code execution vulnerability:

  • SharePoint Server Subscription Edition: This is the latest iteration of SharePoint Server, designed for continuous updates.
  • Security Update for SharePoint Server Subscription Edition (May 12, 2026) - KB5002863
  • SharePoint Server 2019: A widely deployed version, often used in hybrid cloud scenarios.
  • Security Update for SharePoint Server 2019 (May 12, 2026) - KB5002870
  • SharePoint Enterprise Server 2016: An older but still supported enterprise version.
  • Security Update for SharePoint Server 2016 (May 12, 2026) - KB5002868

Following Microsoft's update guidance for these specific Knowledge Base (KB) articles is crucial for reducing the risk associated with CVE-2026-45659. Identification of installed patches and current version numbers against Microsoft's official documentation is recommended for all deployments.

Detection

Detecting exploitation attempts related to CVE-2026-45659 involves monitoring for anomalous behavior within SharePoint Server environments, particularly concerning authenticated user activity and unexpected process execution. Since the vulnerability is a deserialization RCE, indicators would typically manifest as suspicious server-side operations.

Key detection strategies include:

  • Log Analysis:
  • Monitor SharePoint Unified Logging System (ULS) logs and Internet Information Services (IIS) logs for unusual access patterns from authenticated users, especially those with Site Member permissions, making requests to potentially vulnerable endpoints.
  • Look for error messages or warnings related to deserialization failures or unexpected object types in application event logs and SharePoint diagnostics.
  • Review Windows Event Logs on the SharePoint host for suspicious process creations, elevated privilege attempts, or unexpected service modifications originating from SharePoint worker processes.
  • Network Monitoring:
  • Observe outbound network connections from SharePoint Servers to unusual or unknown external IP addresses or domains. Such connections could indicate command-and-control (C2) activity or data exfiltration attempts post-exploitation.
  • Monitor for abnormal internal network traffic originating from the SharePoint host, which might suggest lateral movement within the network.
  • Endpoint Detection and Response (EDR) Systems:
  • Configure EDR solutions to alert on suspicious process executions originating from w3wp.exe (IIS worker process) or other SharePoint-related processes. This includes PowerShell scripts, shell commands, or executables running from unusual directories.
  • Look for unexpected file modifications, creations, or deletions within SharePoint installation directories or other critical system locations.
  • Implement baselining of normal SharePoint Server behavior and alert on deviations from this baseline, such as unusual CPU or memory spikes.
  • Integrity Monitoring:
  • Employ file integrity monitoring (FIM) on critical SharePoint files and directories to detect unauthorized modifications that might indicate web shell deployment or persistence mechanisms.

Organizations should correlate alerts from these different sources to identify potential exploitation attempts. Given the authentication requirement, careful monitoring of compromised user accounts or suspicious activities from legitimate accounts is also important.

Remediation

The primary and most effective remediation for CVE-2026-45659 is to apply the security updates released by Microsoft. Prompt application of these patches is critical for eliminating the vulnerability and preventing potential remote code execution.

The specific patches to install are:

  • For SharePoint Server Subscription Edition: Apply security update KB5002863.
  • For SharePoint Server 2019: Apply security update KB5002870.
  • For SharePoint Enterprise Server 2016: Apply security update KB5002868.

These updates were released on May 12, 2026, and rolled out on May 26, 2026. Organizations should follow their standard patch management processes, including testing patches in a non-production environment before deployment to production systems to ensure compatibility and stability.

As of the research findings, Microsoft has not provided specific workarounds to reduce CVE-2026-45659 without applying the security updates. Therefore, patching remains the definitive solution.

In addition to applying patches, organizations should consider the following mitigations and best practices to improve the security of their SharePoint environments:

  • Principle of Least Privilege: Ensure all SharePoint user accounts, especially those with Site Member permissions, operate with the minimum necessary privileges required for their functions. Regularly review and audit permissions to restrict potential attacker access.
  • Network Segmentation: Implement strict network segmentation to limit network access to SharePoint Servers only from trusted sources and necessary internal networks. This can reduce the attack surface, even for network-based vulnerabilities.
  • Enhanced Authentication: Enforce strong authentication policies, including multi-factor authentication (MFA), for all SharePoint user accounts. This adds an additional layer of security against credential compromise that could lead to authenticated access for exploitation.
  • Regular Security Audits: Conduct periodic security audits and penetration tests of SharePoint deployments to identify and address misconfigurations or other vulnerabilities before they can be exploited.

Proactive monitoring, as outlined in the detection section, should continue even after patching to ensure no lingering threats or previous compromises persist within the environment.

Technical Takeaways

  • CVE-2026-45659 is a critical remote code execution (RCE) vulnerability in Microsoft SharePoint Server, stemming from a deserialization of untrusted data flaw.
  • The vulnerability carries a CVSS score of 8.8, showing high severity and significant potential impact upon successful exploitation.
  • Exploitation is network-based and requires an authenticated attacker with a minimum of Site Member permissions; no elevated privileges are necessary.
  • Microsoft has released security updates to address CVE-2026-45659 for SharePoint Server Subscription Edition (KB5002863), SharePoint Server 2019 (KB5002870), and SharePoint Enterprise Server 2016 (KB5002868).
  • While Microsoft considers the vulnerability "less likely to be exploited" at the time of disclosure, the consistent history of SharePoint RCEs being weaponized in the wild requires immediate patching across affected environments.