
Threat Advisory • Vulnerability Report • TA2026186
CVE-2026-45659 is a high-severity remote code execution vulnerability in Microsoft SharePoint Server, rooted in insecure deserialization of untrusted data (CWE-502). An authenticated attacker with only standard Site Member permissions can send a crafted payload and run arbitrary code on the underlying SharePoint instance without any user interaction — and the flaw is now confirmed under active exploitation.
CWE-502
AUTHENTICATED ACCESS REQUIRED
Section 01
CVE-2026-45659 is a high-severity remote code execution flaw in Microsoft SharePoint Server, rooted in the insecure deserialization of untrusted data (CWE-502). An attacker who has already authenticated to a targeted SharePoint server, needing only standard Site Member permissions, can send a crafted payload over the network and run arbitrary code on the underlying SharePoint instance without any user interaction.
The weakness affects on-premises SharePoint deployments, specifically SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Microsoft shipped fixes for CVE-2026-45659 in late May 2026 as an out-of-band correction after the CVE was inadvertently omitted from the May 2026 Security Updates. The vulnerability is now confirmed to be actively exploited, making patching SharePoint Server crucial.
Section 02
SharePoint's habit of trusting the data it receives has once again turned into a liability. CVE-2026-45659 is classified under CWE-502, Deserialization of Untrusted Data, meaning the server reconstructs attacker-controlled objects without validating them first — a flaw class that reliably translates into code execution when abused. A specially crafted serialized payload submitted to a vulnerable SharePoint endpoint is deserialized in a way that lets the attacker's data drive the execution flow, resulting in arbitrary code running in the context of the SharePoint application. Microsoft notes that the attack complexity is low because an adversary does not need deep prior knowledge of the system and can reliably reproduce success with the payload against the affected component.
The CVE-2026-45659 attack is carried out over the network and is remotely reachable from the internet, but it is not unauthenticated; an attacker must first hold valid credentials with at least Site Member permissions before triggering the flaw. This authentication requirement is the only meaningful hurdle — no elevated or administrative rights are required, and no user interaction is involved once the attacker is logged in. The vulnerability affects on-premises SharePoint installations, specifically SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016.
Microsoft addressed CVE-2026-45659 through the May 2026 update cycle, though the CVE identifier was inadvertently omitted from the published May 2026 Security Updates and later documented separately; customers who had already applied the May 2026 updates were told no further action was needed. The fixes correspond to SharePoint Server Subscription Edition build 16.0.19725.20280, SharePoint Server 2019 build 16.0.10417.20128, and SharePoint Enterprise Server 2016 build 16.0.5552.1002. The vulnerability is now confirmed to be actively exploited, making patching crucial for every affected SharePoint Server deployment.
Section 03
| CVE ID | Affected Products | Affected CPE | CWE ID |
|---|---|---|---|
CVE-2026-45659 |
Microsoft SharePoint Server Subscription Edition, SharePoint Server 2019, SharePoint Enterprise Server 2016 |
cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:*:enterprise:*:*:*cpe:2.3:a:microsoft:sharepoint_server:-:*:*:*:*:subscription:*:*:*
|
CWE-502 |
Section 04
Apply Microsoft's Security Updates Immediately
Install the May 2026 updates that remediate CVE-2026-45659 on every affected on-premises SharePoint server without delay. The fixed builds are SharePoint Server Subscription Edition 16.0.19725.20280, SharePoint Server 2019 16.0.10417.20128, and SharePoint Enterprise Server 2016 16.0.5552.1002. Because the flaw is under active exploitation, patching is the single most effective action available.
Verify Patch Coverage Across the Estate
Confirm that the deployed build numbers match or exceed the fixed versions on each SharePoint server, since the CVE was originally omitted from the May 2026 Security Updates and administrators may wrongly assume they are protected. Reconcile your inventory against the vendor advisory to ensure no on-premises instance, including secondary farms and disaster-recovery nodes, was missed.
Tighten SharePoint Account Access
Exploitation of CVE-2026-45659 only requires an authenticated user with Site Member permissions, so review and prune user accounts, enforce strong authentication, and remove unnecessary or stale low-privilege access. Prioritize multi-factor authentication and least-privilege principles to shrink the pool of credentials an attacker could leverage to reach the vulnerable endpoint.
Limit Internet Exposure and Segment Access
Where patching cannot be completed immediately, restrict inbound access to SharePoint servers, place them behind VPN or zero-trust controls, and segment them from the broader network to reduce the attack surface. With more than 10,000 SharePoint servers observed exposed online, minimizing direct internet reachability materially lowers risk, and CISA advises following BOD 26-04 guidance for cloud services or discontinuing use of the product where mitigations are unavailable.
Section 05
Section 06