Microsoft has released security updates that address the CVE-2026-45659 vulnerability in SharePoint Server — an untrusted data deserialization flaw with a CVSS score of 8.8 that allows any authenticated user with minimum site member (Site Member) permissions to execute arbitrary code on the server over the network. Patches are available for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Although Microsoft rates the likelihood of exploitation as low, the history of attacks on SharePoint makes prompt patching a high-priority task for administrators.
Technical details of the vulnerability
According to the Microsoft advisory, the vulnerability belongs to the untrusted data deserialization class (CWE-502) in the Microsoft Office SharePoint component. Key characteristics:
- Attack vector: network — exploitation is possible remotely
- Required privileges: low (PR:L) — Site Member rights are sufficient, administrator privileges are not required
- User interaction: not required
- Severity level: Important (per Microsoft classification)
- CVSS score: 8.8
The core issue is that SharePoint Server improperly handles serialized data coming from untrusted sources. An authenticated attacker with minimum site member rights can send a specially crafted request that results in arbitrary code execution on the server. This makes the vulnerability particularly dangerous in corporate environments, where Site Member–level access is often granted to a wide range of employees.
Affected products and available updates
Security updates were released on May 12, 2026 for three product versions:
- SharePoint Server Subscription Edition — KB5002863
- SharePoint Server 2019 — KB5002870
- SharePoint Enterprise Server 2016 — KB5002868
According to Microsoft, the vulnerability was discovered and reported by a researcher using the alias MEOW.
Impact assessment
Untrusted data deserialization is one of the most dangerous vulnerability classes in web applications. In the context of SharePoint Server, this means that a compromised account of a regular employee or contractor with basic site access can become an entry point for full server compromise. Given that SharePoint often stores sensitive corporate documents, internal policies, and project data, the consequences of a successful attack can include data leakage, lateral movement across the network, and persistence within the infrastructure.
It is worth noting that in April 2026 Microsoft had already fixed a spoofing vulnerability in SharePoint Server (CVE-2026-32201, CVSS 6.5), which was reportedly exploited in real-world attacks. This confirms sustained adversary interest in the SharePoint platform as an attack vector.
Microsoft rates the likelihood of exploitation of CVE-2026-45659 as low, and at the time of publication there are no confirmed cases of the vulnerability being used in real attacks. The vulnerability is also not listed in the CISA KEV catalog.
Recommendations
- Install the security updates KB5002863, KB5002870, or KB5002868, depending on your SharePoint Server version. Despite Microsoft’s “Exploitation Less Likely” rating, the CVSS score of 8.8 and low barrier to entry for an attacker justify treating this as a patching priority.
- Audit accounts with Site Member–level and higher permissions. Revoke excessive permissions from inactive users and external contractors.
- Review SharePoint logs for anomalous requests, especially those containing atypical serialized objects, originating from accounts with basic privileges.
- Consider network segmentation — restrict direct network access to SharePoint servers by using reverse proxies and a WAF with rules to detect deserialization attacks.
SharePoint Server administrators are advised to install the relevant updates in the next maintenance window, paying particular attention to servers accessible from external networks or serving a large number of users with Site Member rights. In parallel, it is worth reviewing permissions — reducing the number of accounts with site member rights directly shrinks the attack surface for CVE-2026-45659.
