CVE 2026 45659 is a high severity (CVSS 8.8) remote code execution vulnerability in Microsoft SharePoint Server caused by a deserialization of untrusted data flaw (CWE 502). The vulnerability can be exploited over a network with low attack complexity, requiring only basic authorization.

Create a landscape editorial hero image for this Studio Global article: What is the full scope of the recently disclosed CVE-2026-45659 remote code execution vulnerability in Microsoft SharePoint Server, includin. Article summary: Here is the full scope of CVE-2026-45659 and the surrounding SharePoint threat landscape.. Topic tags: general, government, general web. Reference image context from search candidates: Reference image 1: visual subject "Take action: This month prioritize Microsoft Office, Word, and Excel for the critical remote code execution flaws exploitable via the preview pane, then Windows OS and SharePoint S" source context "Microsoft May 2026 Patch Tuesday: 120 Vulnerabilities Fixed" Reference image 2: visual subject "# CVE-2026-40365 – Microsoft SharePoint Server Remote Code Execution Vulnerability. > “A low-privileged SharePoint account should never become a pathway to
Microsoft has released an emergency fix for a dangerous new vulnerability in SharePoint Server, just two weeks after its regular Patch Tuesday updates. The bug, designated CVE-2026-45659, enables an attacker with basic login credentials to seize a server completely, underscoring an alarming pattern of critical flaws in on-premises SharePoint deployments. For security teams managing their own SharePoint farms, this isn't just another patch—it's an urgent priority.
CVE-2026-45659 is a classic and dangerous type of software flaw: a deserialization of untrusted data vulnerability, formally tracked as CWE-502 . In simple terms, SharePoint accepts and processes complex data "packages" from users. Due to the flaw, an attacker can craft a malicious package that, when "unpacked" (deserialized) by the server, executes code of the attacker's choice.
The technical specifications of the vulnerability make it easy to exploit:
This combination of low privileges, no user interaction, and network-based access makes this a prime target for attackers, as a single compromised standard user account can serve as the gateway to total server control.
This is an on-premises issue. The vulnerability affects the following three versions of SharePoint Server. SharePoint Online is not affected .
For each affected version, Microsoft has provided a specific update and build number that administrators can use to verify their patch level. The patch was made available on May 12, 2026 as part of a standard security update but was further emphasized after its severity was clarified .
CVE-2026-45659 is not an isolated incident. It is the latest in a series of high-impact SharePoint deserialization vulnerabilities that have plagued on-premises deployments.
A key example is CVE-2026-20963, a similar flaw that had a confirmed CVSS score of 9.8 and was so dangerous that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities (KEV) catalog on March 18, 2026, after confirming active exploitation . CERT-EU reported that Microsoft had to update its advisory for CVE-2026-20963 to clarify that the vulnerability was exploitable by an unauthenticated attacker—meaning no login was required at all
.
Other related issues, such as CVE-2026-33110, also involve deserialization of untrusted data and affect the same product lines . The pattern is clear: attackers and security researchers are heavily scrutinizing SharePoint's deserialization mechanisms, and critical flaws are being discovered at an alarming rate. This trend makes robust and timely patching more critical than ever for SharePoint administrators.
Patching is the only complete solution, but a defense-in-depth approach provides additional protection. For organizations that must run on-premises SharePoint, here are the recommended steps:
w3wp.exe), unusual outbound network connections or web shells, and abnormal behavior from service accounts.Studio Global AI
Use this topic as a starting point for a fresh source-backed answer, then compare citations before you share it.
CVE 2026 45659 is a high severity (CVSS 8.8) remote code execution vulnerability in Microsoft SharePoint Server caused by a deserialization of untrusted data flaw (CWE 502).
CVE 2026 45659 is a high severity (CVSS 8.8) remote code execution vulnerability in Microsoft SharePoint Server caused by a deserialization of untrusted data flaw (CWE 502). The vulnerability can be exploited over a network with low attack complexity, requiring only basic authorization.