Microsoft patched a remote code execution vulnerability in SharePoint Server, tracked as CVE-2026-45659 and carrying a CVSS score of 8.8, as part of its May 2026 Patch Tuesday cycle. The flaw stems from unsafe deserialisation of untrusted data within Microsoft Office SharePoint. According to The Hacker News, an authenticated attacker holding nothing more than Site Member permissions can execute arbitrary code remotely, no administrative access required.
A CVSS 8.8 rating on a network-exploitable, low-privilege RCE is not something security teams can quietly schedule for the next maintenance window. The bar for exploitation is deliberately low: any user with a standard site membership can attempt it. In organisations where SharePoint is used for document collaboration, intranet portals, or workflow automation, that pool of potential threat actors includes contractors, temporary staff, and anyone whose credentials have been compromised.
There is an additional administrative wrinkle. As Help Net Security reported, this CVE was inadvertently left off Microsoft's published May 2026 Security Updates list. That means teams who rely on that list for patch prioritisation may have no awareness of the flaw at all, despite the fact that the fix was already included in the May 2026 update rollup. Any organisation that deferred May patching is exposed without knowing it.
Microsoft has assessed exploitation as "less likely", but that rating reflects current observed activity, not inherent difficulty. SharePoint deserialisation vulnerabilities have been weaponised before, the ToolShell-class attacks and earlier ViewState abuse are documented examples, and threat actors maintain working knowledge of this attack class. "Less likely" is not a mitigation.
The vulnerability lies in how SharePoint processes serialised data objects it receives from the network. Deserialisation is the mechanism by which an application reconstructs an object from a stream of bytes. When that process is applied to data the application does not adequately validate or restrict, an attacker can craft a malicious payload that the deserialiser executes as code during reconstruction, before any business logic or access control checks intervene.
In this case, the attack is authenticated but requires only Site Member-level access, which SharePoint classifies as a low-privilege role. The designation PR:L (Privileges Required: Low) in the CVSS vector confirms this. Because the execution path runs over the network, physical or local access to the server is irrelevant. An attacker operating entirely remotely can send the crafted request directly to the SharePoint endpoint.
Once code runs in the context of the SharePoint application, the practical consequences depend on the server's configuration and what it can reach: domain joined systems, file shares, databases, and internal APIs all become reachable from that foothold. Deserialisation flaws of this type have historically been used to deploy web shells, establish persistence, and move laterally through on-premises environments. Understanding your attack surface, particularly which internal systems SharePoint can communicate with, determines how far that initial foothold can travel.
On-premises SharePoint deployments are the exposure here. Affected versions include SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. Organisations running any of these on unpatched infrastructure are vulnerable if an authenticated user, or a compromised account, can reach the SharePoint interface over the network.
SharePoint Online, delivered through Microsoft 365, is managed directly by Microsoft and was not affected; those tenants required no action.
Risk is elevated in specific configurations. Environments where external users, partners, or contractors hold Site Member access expand the pool of accounts that could be used to trigger the flaw. Similarly, any deployment where SharePoint is internet-facing rather than restricted to internal networks shortens the attacker's path considerably. Government agencies and financial institutions in the MEA region that operate on-premises SharePoint for data sovereignty reasons should treat this as a priority, particularly given that May 2026 patching may not have been completed uniformly across distributed or air-gapped environments.
Verify May 2026 patch status immediately. Because this CVE was omitted from the standard Security Updates list, do not rely on your patch management dashboard alone. Query SharePoint servers directly for the May 2026 cumulative update build number and confirm it is installed. Systems already running the May 2026 updates are protected and need no separate patch, but confirmation is the critical step.
Audit Site Member permissions across all SharePoint sites. The low-privilege exploitation path means over-provisioned membership is a direct risk amplifier. Identify accounts with Site Member access or above, remove stale or unnecessary permissions, and apply least-privilege principles to any external or contractor accounts.
Review account exposure through credential leak monitoring. Because exploitation requires authenticated access, the threat model includes compromised credentials rather than only insider threats. Structured credential leak monitoring covering your domain's email addresses will surface accounts that may already be in attacker hands and could be used to attempt exploitation.
Restrict network access to SharePoint where possible. If SharePoint is not required to be internet-facing, enforce access through a VPN or zero-trust gateway. For internal deployments, verify that firewall rules prevent direct inbound connections from untrusted network segments. Network segmentation limits the reachability of the deserialisation endpoint.
Enable detailed SharePoint ULS and Windows event logging, and alert on anomalies. Monitor for unexpected process spawning from SharePoint worker processes, unusual outbound connections from the SharePoint server, and authentication events from accounts that do not typically access SharePoint. Establish a baseline now, before any exploitation attempt occurs.
No. SharePoint Online, provided through Microsoft 365, is managed by Microsoft and was not impacted by CVE-2026-45659. Only on-premises deployments — SharePoint Server 2016, 2019, and Subscription Edition — are in scope. Microsoft 365 tenants required no action on this vulnerability.
No additional patch is required. According to Help Net Security, the fix was included in the May 2026 update rollup despite the CVE being left off the published list. Organisations that have fully deployed those updates are protected. The priority is confirming that the May update was actually applied to every SharePoint server in your estate.
Microsoft's exploitability ratings reflect observed attacker activity and technical complexity at the time of disclosure, not the theoretical ceiling of harm. A CVSS of 8.8 captures severity if exploitation occurs. Given SharePoint's history with deserialisation-class attacks, security teams should treat the "less likely" rating as a snapshot, not a guarantee.
No. CVE-2026-45659 requires a minimum of Site Member-level authentication. Unauthenticated exploitation is not possible with this vulnerability as described. However, that authentication requirement shifts the primary risk vector to credential theft, phishing, and account compromise rather than fully external attacks.
Sources: The Hacker News, Help Net Security
