Microsoft has patched CVE-2026-45659, a deserialization-of-untrusted-data flaw in SharePoint Server that lets any authenticated user with Site Member permissions execute arbitrary code as the SharePoint service account. The bug was disclosed and patched on May 21, 2026; broader vendor and press writeups landed on May 26. CVSS 3.1 base score is 8.8, and given how aggressively previous SharePoint deserialization flaws have been weaponized in 2026, every infrastructure team running on-prem SharePoint should treat this as urgent.

What happened

CVE-2026-45659 is the latest in a string of SharePoint RCE bugs Microsoft has shipped this year — a direct cousin of CVE-2026-20963 from the March patch cycle. The class is the same: SharePoint accepts serialized .NET objects on certain endpoints and rehydrates them into application objects without enforcing an allowlist of permitted types. An attacker who can submit a payload to one of those endpoints can ride a gadget chain (the usual ObjectDataProvider, TypeConfuseDelegate, WindowsIdentity, or ActivitySurrogateSelector patterns) all the way to arbitrary code execution.

What makes this one notable is the privilege requirement. The CVSS vector lists PR:L — privileges required: low. In SharePoint terms, that maps to Site Member, the lowest tier any authenticated user can hold. Site Member is the role you get when you’re invited to a single team site to upload a few files. There’s no admin path required, no SharePoint farm administrator credential, no service account compromise. If an attacker has phished or otherwise obtained any rank-and-file employee’s credentials, they have what they need to detonate this.

Technical details

The deserialization happens inside the SharePoint worker process (w3wp.exe), which runs as the SharePoint application pool service account. That account typically holds extensive rights across the farm — read/write to the SharePoint content databases, network reachability to other farm servers, and often the ability to enumerate AD principals via the SharePoint user profile sync. Once you have code execution inside w3wp.exe, you’re standing on the floor of the farm.

The exploitation pattern is well-trodden:

  1. Authenticate with any low-privilege account.
  2. Identify the vulnerable endpoint accepting serialized state.
  3. Craft a .NET gadget chain payload (ysoserial.net will do most of this for you).
  4. POST the payload, watch SharePoint deserialize it, and inherit the service account.

Microsoft’s advisory says there is no public exploit code and no in-the-wild exploitation observed at time of publication. That assurance has a short half-life. Earlier 2026 SharePoint deserialization flaws (CVE-2026-20963, the ToolShell chain from last summer) had working exploits circulating in research channels within days of disclosure.

Affected versions

  • SharePoint Server Subscription Edition
  • SharePoint Server 2019
  • SharePoint Enterprise Server 2016

SharePoint Online (Microsoft 365) is not in scope — Microsoft handles patching on the back end. If you’re running any flavor of on-prem SharePoint, you almost certainly need to act.

Why this matters for infrastructure teams

SharePoint farms are rarely standalone. They typically host service accounts with reach into Active Directory, SQL Server back-ends, file shares, and increasingly federated identity systems. A compromised SharePoint worker process is a stepping stone, not an endpoint. In several of the 2026 SharePoint incidents that became public, the initial RCE was followed within hours by SQL pivot, lateral movement to domain controllers, and in two cases ransomware deployment across the SharePoint-adjacent SQL infrastructure.

The Site Member requirement also changes the threat model. Most defenders worry about unauthenticated internet-facing exposure. CVE-2026-45659 punishes the assumption that “authenticated only” is meaningful protection. Any compromised employee account — phished, infostealer-harvested, or sold on a marketplace — is now a path to farm RCE.

Mitigation

Patch. There is no good workaround. The KB articles are out across all three supported branches:

  • Install the May 2026 security update for your SharePoint version. Microsoft has published separate KBs for Subscription Edition, 2019, and 2016 Enterprise — make sure you pull the right one, particularly on 2016 where the “Foundation” vs “Enterprise” split has historically tripped admins up.
  • Run the SharePoint Products Configuration Wizard (PSConfig) after applying binaries. Skipping this step has been the cause of “I patched but I’m still vulnerable” reports on prior SharePoint CVEs.
  • Audit your Site Member rolls. Any account with that permission level on any site is a viable foothold. Disable inactive accounts, rotate passwords on accounts known to be in infostealer logs, and tighten guest/external sharing.
  • If you can’t patch within a reasonable window, restrict SharePoint farm access to VPN/ZTNA so the attack surface isn’t open to the general employee population — and rotate the SharePoint farm service account credentials so a successful exploit doesn’t immediately give attackers a long-lived foothold.

Microsoft’s advisory is at the MSRC update guide. The Hacker News and Help Net Security writeups have the clearest summaries for non-Microsoft readers.

Patch this week. The pattern of every SharePoint deserialization RCE in the last eighteen months has been the same: quiet disclosure, working exploit within days, mass exploitation within weeks. CVE-2026-45659 will not be the exception.