Microsoft Patches CVE-2026-45659 — a SharePoint RCE Any Site Member Can Trigger

CVE-2026-45659 is the recurring SharePoint risk profile in compact form — a high-CVSS, low-complexity, no-interaction deserialization RCE whose only barrier is the lowest-privilege account in the product, which in practice is no barrier at all.

REDMOND, WASHINGTON — On May 26, 2026, Microsoft disclosed and patched CVE-2026-45659, a high-severity remote code execution vulnerability in Microsoft SharePoint Server caused by deserialization of untrusted data. The flaw carries a CVSS v3.1 score of 8.8 and is rated Important — not Critical — and Microsoft assesses it as 'less likely to be exploited' at disclosure, with no public proof-of-concept and no observed exploitation in the wild. It affects every currently supported on-premises version: SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. An authenticated attacker with the minimum Site Member permission level — the lowest-privilege role in a SharePoint deployment — can execute code remotely on a vulnerable server with no user interaction and low attack complexity.

The patch was published as a standard Microsoft security update. Coverage anchored by The Hacker News, Help Net Security, and the Microsoft Security Response Center advisory.

What Happened

Microsoft released a security update for CVE-2026-45659 on May 26, 2026, addressing a deserialization-of-untrusted-data vulnerability in Microsoft SharePoint Server. The CWE-502 flaw allows an authenticated attacker to execute arbitrary code remotely on a vulnerable SharePoint Server instance, without user interaction and with low attack complexity. The required privilege level is the minimum tier of SharePoint authorization — Site Member, the role a typical user receives when added to a SharePoint site, library, or team workspace. Microsoft's severity rating is Important, with a CVSS v3.1 base score of 8.8, and the vendor's exploitability assessment at disclosure is 'less likely to be exploited.' There is no public proof-of-concept and no observed exploitation in the wild reported at the time of the advisory.

The affected products span the full currently-supported on-premises SharePoint family: SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Microsoft published the fix as a standard Patch Tuesday-cadence security update rather than as an out-of-band emergency advisory, consistent with the 'less likely' label. The disclosure was reported in real time by The Hacker News and Help Net Security, with the authoritative technical detail in the Microsoft Security Response Center entry for CVE-2026-45659 and the matching NVD record.

Why 'Authenticated' Is Not the Mitigation It Sounds Like

Read the CVE summary too quickly and 'authenticated attacker required' looks like a meaningful guardrail. In a SharePoint context, it is barely one. Site Member is the floor of the SharePoint permission model — it is the role granted to every user who is added to a site, every external collaborator invited to a shared library, and every employee with default access to a team workspace. In most enterprise deployments, that population is functionally the entire workforce plus the entire current and historical partner and contractor list. Site Member access is also the role that tends to linger longest on dormant accounts, because the access was added once and rarely audited again. Combine that with low attack complexity and no user interaction required, and the realistic answer to 'how many accounts could exploit this in our environment' is closer to 'all of them' than 'a privileged few.' That is why CVE-2026-45659's 'Important' rating and 'less likely to be exploited' assessment should not be read as permission to wait.

The Recurring SharePoint Deserialization Pattern

Deserialization-of-untrusted-data RCEs in Microsoft Office SharePoint are a well-established recurring class of exploited vulnerability, not a novel discovery. The most recent public precedent is the 2025 'ToolShell' wave around CVE-2025-53770, in which a SharePoint deserialization flaw moved from disclosure to mass in-the-wild exploitation rapidly once technical detail and PoC code emerged. CVE-2026-45659 sits in the same architectural neighborhood: the same product family, the same vulnerability class, the same low-complexity, no-interaction exploit profile. The 'less likely to be exploited' label is Microsoft's read of the situation at disclosure, before any PoC exists — historically that label has a short half-life when CVSS, complexity, and interaction requirements all line up favorably for an attacker. CVE-2026-45659's profile is precisely the combination that has tended to attract PoCs within days, and SharePoint is precisely the kind of high-value target that motivates rapid weaponization. The CyberSignal covered an earlier 2026 SharePoint zero-day, CVE-2026-32201, when CISA added it to the Known Exploited Vulnerabilities catalog under an urgent federal deadline; CVE-2026-45659 is a different flaw and currently has no public exploitation, but the structural lesson — that SharePoint is a sustained target — is the same.

Distinct From the Exchange Zero-Day, Part of the Same Cluster

CVE-2026-45659 should not be conflated with the recently disclosed on-premises Microsoft Exchange Server zero-day, CVE-2026-42897. The two are separate flaws, in separate products, with separate exploitation profiles — Exchange's was an exploited zero-day with active in-the-wild use, while CVE-2026-45659 is a patch-on-disclosure with no observed exploitation. But they are part of the same broader cluster: the on-premises Microsoft server estate (SharePoint, Exchange, SQL Server, IIS-fronted workloads) is under sustained, simultaneous attention from threat actors throughout 2026. The Verizon DBIR 2026 documented that vulnerability exploitation just overtook credential theft as the number-one initial-access method, and the on-prem Microsoft server stack is one of the surfaces where that shift is most visible. Treat Microsoft on-prem patching as a Tier 1 SLA — the 2026 cadence is sustained, not episodic, and the next disclosure in this cluster is not a hypothetical.

Scope and Impact

The blast radius if CVE-2026-45659 is exploited is shaped by where SharePoint sits inside an enterprise. SharePoint Server runs as a high-privilege workload on the on-premises Windows stack, typically with service accounts that have broad reach into Active Directory and into the file shares, databases, and identity infrastructure SharePoint integrates with. Remote code execution on a SharePoint front-end is rarely the end of the kill chain; historically it is the start of one — web-shell deployment, credential theft from the SharePoint service account context, and lateral movement into the surrounding Active Directory environment. The post-exploitation pattern after similar SharePoint deserialization flaws — most recently the 2025 ToolShell wave — was rapid web-shell drop within hours of public PoC. Defenders should treat a patched-but-formerly-vulnerable SharePoint server the way they would any other high-value internet-or-VPN-facing workload: assume the window before the patch is the window to hunt.

Several specifics are not confirmed at disclosure and should not be assumed. The discovering researcher has not been publicly named. The specific component or code path inside SharePoint that performs the unsafe deserialization has not been disclosed in the public advisory. The number of internet-exposed on-prem SharePoint instances is not part of Microsoft's bulletin. Whether the flaw will be added to the CISA Known Exploited Vulnerabilities catalog is unknown — it is not in KEV at disclosure, and KEV addition would require observed in-the-wild exploitation. Whether SharePoint Online or other Microsoft 365-hosted SharePoint workloads are affected is not addressed in the on-premises advisory and should be verified separately rather than assumed.

CVE-2026-45659 also lands inside the broader 2026 Microsoft-targeting pattern The CyberSignal has tracked. In the past few weeks alone the cluster has produced the two actively exploited Microsoft Defender zero-days, UnDefend and RedSun, built to neutralize the endpoint-protection tool itself, Microsoft's takedown of a code-signing-as-a-service operation whose customers included five ransomware crews, and a steady cadence of platform-level flaws across the on-prem server estate. The Ghost CMS CVE-2026-26980 SQL-injection-plus-ClickFix campaign that compromised more than 700 sites is a parallel reminder that authenticated-but-low-privilege flaws in collaboration and content platforms convert into mass-compromise outcomes faster than their CVSS preconditions suggest. Different product, same risk pattern.

Response and Attribution

For organizations running SharePoint Server on-premises, the immediate action is to apply Microsoft's CVE-2026-45659 update across all instances of SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016 this week. Microsoft's Important rating and 'less likely to be exploited' assessment do not justify a slower timeline — the low attack complexity, lack of user-interaction requirement, and Site Member-floor precondition make this attacker-friendly the moment a public proof-of-concept lands. Pair the patch with a Site Member inventory audit: enumerate accounts with Site Member or higher across every SharePoint site collection, prune unnecessary low-privilege access, and pay particular attention to guest, external-collaborator, dormant, and offboarded-employee accounts that may still hold Site Member access by accident. Where business requirements allow, restrict internet exposure of on-prem SharePoint behind VPN with phishing-resistant MFA.

For SOC and threat-hunting teams, treat the period between disclosure and full fleet-wide patching as the active hunting window. Watch SharePoint application and Windows event logs for anomalous deserialization-related errors — the typical fingerprint of an exploitation attempt against a CWE-502 flaw — and for unexpected child processes spawning from w3wp.exe or the SharePoint timer service, the classic post-exploitation indicator for SharePoint RCEs. Hunt for newly-written files in SharePoint web application directories, particularly anything resembling a web shell, and increase monitoring on SharePoint admin endpoints and the SharePoint content APIs for the next thirty days. The historical pattern after similar SharePoint flaws was rapid web-shell drop within hours of a PoC release; the absence of a PoC today does not mean the absence of one next week.

For CISOs, CVE-2026-45659 is a reminder that the on-premises Microsoft server estate — SharePoint, Exchange, SQL Server — remains a high-frequency target and that the 'authenticated, low privilege' precondition pattern is the practical risk profile, not the technical CVSS alone. Microsoft has not attributed the discovery of CVE-2026-45659 to a named researcher and has not reported in-the-wild exploitation. The structural call is to fund Tier 1 SLA treatment for on-prem Microsoft patching, build a recurring Site Member audit into the SharePoint operating model, and stop using CVSS preconditions as a reason to defer patches whose impact-side numbers — 8.8 base score, low complexity, no interaction — are the part of the score that actually matters once an exploit exists.

The CyberSignal Analysis

Signal 01 — Site Member Is the Floor, and the Floor Is Where Most Users Live

The single most important reframing of CVE-2026-45659 is this: 'authenticated, Site Member required' is not a guardrail; it is a description of where every user in a typical SharePoint deployment already lives. Site Member is the access level a SharePoint user receives by default the first time they are added to a site, library, or team workspace, and in a normal enterprise deployment that population is broad — current employees, contractors, partners, guests, and dormant accounts that retain access nobody re-audited. CVSS and Microsoft both reward that precondition with a lower severity, because the flaw is not reachable by an unauthenticated attacker on the internet. But in operational terms, every SharePoint login in the organization is a potential exploitation vector. The defense is not 'the precondition will protect us'; the defense is the patch. Treat 'authenticated, Site Member' the way you would treat 'unauthenticated' in any product where Site Member-equivalent access is the default user state.

Signal 02 — 'Less Likely to Be Exploited' Has a Short Half-Life When the Profile Is This Friendly

Microsoft's 'less likely to be exploited' assessment is a useful signal — at disclosure. It reflects the absence of a public proof-of-concept and the absence of observed in-the-wild exploitation at that moment. What it does not reflect is the underlying attractiveness of the flaw to an exploit developer, and on that axis CVE-2026-45659 scores highly: CVSS 8.8, low attack complexity, no user interaction required, and a precondition that is functionally trivial in a SharePoint environment. Deserialization RCEs in Microsoft Office SharePoint are a recurring exploited-vulnerability class — the 2025 ToolShell wave around CVE-2025-53770 is the most recent precedent — and the combination of disclosed-and-patched plus public technical detail in the advisory is exactly the input vulnerability researchers and threat actors use to reverse the patch and produce a PoC. The 'less likely' label is a snapshot, not a forecast. Patch on the timeline the impact profile demands, not the exploitability label.

Signal 03 — On-Prem Microsoft Servers Are a Sustained 2026 Pattern

CVE-2026-45659 is one entry in a 2026 trend the data now supports clearly. The Verizon DBIR 2026 found that vulnerability exploitation has just overtaken credential theft as the number-one initial-access method. The on-prem Microsoft server estate — SharePoint, Exchange, SQL Server, IIS-fronted workloads — is one of the surfaces where that shift is most visible, because these products are widely deployed, high-privilege, and often internet-or-VPN-adjacent. The Exchange Server zero-day CVE-2026-42897 was a separate, exploited disclosure in the same general window; CVE-2026-45659 is the SharePoint counterpart, currently patched ahead of exploitation. The right organizational read is not that any single CVE is the emergency — it is that the cluster is. On-prem Microsoft patching deserves Tier 1 SLA treatment, the Site Member-and-equivalent low-privilege audit deserves a recurring schedule, and the assumption that the next on-prem Microsoft disclosure is weeks rather than months away is the safer planning assumption.

Sources