CISA Known Exploited Vulnerability (KEV): Added July 1, 2026. Due July 4, 2026. BOD 26-04 3-day mandate. Patch shipped May 2026 but Microsoft forgot to disclose until May 21.
What Is the Vulnerability?
CVE-2026-45659 is a deserialization of untrusted data vulnerability in Microsoft SharePoint Server that allows remote code execution (RCE). An authenticated attacker with Site Member permissions — the standard contributor role — can exploit this flaw to execute arbitrary code on the SharePoint server.
This vulnerability is notable because Microsoft shipped the patch in May 2026 but did not publish the security bulletin until May 21, leaving defenders in the dark about the severity. CISA added it to the Known Exploited Vulnerabilities (KEV) catalog on July 1, 2026, with a remediation deadline of July 4, 2026.
Versions Affected
Microsoft SharePoint Server (all supported versions that received the May 2026 security update). The patch was included in the May 2026 Patch Tuesday release but the bulletin was delayed.
Exploited?
Yes. CISA has confirmed active exploitation in the wild, which triggered the KEV listing. Microsoft’s advisory originally rated exploitation as “less likely,” but CISA’s action contradicts that assessment.
Fix
The fix is included in the May 2026 security update for Microsoft SharePoint Server. Organizations should immediately verify that this patch has been applied across all SharePoint deployments.
Recommendations
- Verify May 2026 patch: Confirm the May 2026 SharePoint security update is installed on all SharePoint servers.
- Audit Site Member permissions: Review all users with Site Member or higher roles across SharePoint sites.
- Check external/guest users: Identify any external or guest users granted Site Member permissions and revoke or restrict access where possible.
- July 4 deadline: Federal agencies under BOD 26-04 have only 2 days to remediate.
References
- CISA Known Exploited Vulnerabilities Catalog
- Security.nl Coverage
- Microsoft Security Bulletin (May 2026 Patch Tuesday)
Part of the Vulnerability Intelligence series. See the July 2, 2026 VIR.
