CVE-2026-45659: Microsoft SharePoint Server Deserialization Remote Code Execution (CISA KEV)

CVE-2026-45659: Microsoft SharePoint Server Deserialization Remote Code Execution (CISA KEV)

CISA Known Exploited Vulnerability (KEV): Added July 1, 2026. Due July 4, 2026. BOD 26-04 3-day mandate. Patch shipped May 2026 but Microsoft forgot to disclose until May 21.

What Is the Vulnerability?

CVE-2026-45659 is a deserialization of untrusted data vulnerability in Microsoft SharePoint Server that allows remote code execution (RCE). An authenticated attacker with Site Member permissions — the standard contributor role — can exploit this flaw to execute arbitrary code on the SharePoint server.

This vulnerability is notable because Microsoft shipped the patch in May 2026 but did not publish the security bulletin until May 21, leaving defenders in the dark about the severity. CISA added it to the Known Exploited Vulnerabilities (KEV) catalog on July 1, 2026, with a remediation deadline of July 4, 2026.

Versions Affected

Microsoft SharePoint Server (all supported versions that received the May 2026 security update). The patch was included in the May 2026 Patch Tuesday release but the bulletin was delayed.

Exploited?

Yes. CISA has confirmed active exploitation in the wild, which triggered the KEV listing. Microsoft’s advisory originally rated exploitation as “less likely,” but CISA’s action contradicts that assessment.

Fix

The fix is included in the May 2026 security update for Microsoft SharePoint Server. Organizations should immediately verify that this patch has been applied across all SharePoint deployments.

Recommendations

  • Verify May 2026 patch: Confirm the May 2026 SharePoint security update is installed on all SharePoint servers.
  • Audit Site Member permissions: Review all users with Site Member or higher roles across SharePoint sites.
  • Check external/guest users: Identify any external or guest users granted Site Member permissions and revoke or restrict access where possible.
  • July 4 deadline: Federal agencies under BOD 26-04 have only 2 days to remediate.

References

Part of the Vulnerability Intelligence series. See the July 2, 2026 VIR.

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!