Tracked as CVE-2026-45659, the flaw affects SharePoint Server Subscription Edition, SharePoint Server 2019 and SharePoint Enterprise Server 2016. The vulnerability has been assigned a CVSS score of 8.8, placing it in the high-severity range, and stems from deserialisation of untrusted data in Microsoft Office SharePoint. That class of weakness can be dangerous in enterprise environments because it may allow crafted data to be processed in a way that lets an attacker trigger code execution on the server.
The issue does not require administrator privileges, but it does require the attacker to be authenticated. The risk centres on users with at least Site Member permissions, meaning organisations with large internal user bases, external partner portals or weak account controls may face greater exposure. Successful exploitation could compromise confidentiality, integrity and availability, allowing an attacker to move from a low-privileged foothold to deeper access within a SharePoint deployment.
Microsoft has indicated that the vulnerability can be exploited over a network with low attack complexity and without user interaction. The company has also assessed exploitation as less likely at this stage, and there is no confirmed public evidence of active exploitation or a working proof-of-concept exploit in the wild. Even so, security teams are treating the patch as material because SharePoint servers have repeatedly been targeted by criminal groups, access brokers and state-linked operators.
The company updated its advisory on May 26 after the vulnerability was omitted from the May 2026 security update documentation. Customers that already installed the relevant May 2026 updates do not need further action for this specific flaw, while administrators who have not yet updated affected systems are being urged to apply the latest builds. Fixed versions include SharePoint Server Subscription Edition build 16.0.19725.20280, SharePoint Server 2019 build 16.0.10417.20128 and SharePoint Enterprise Server 2016 build 16.0.5552.1002.
The disclosure lands against a broader pattern of attacks on collaboration and document management systems, where a successful compromise can offer access to contracts, credentials, financial records, legal material and operational data. SharePoint’s role as a central repository inside many companies makes even authenticated vulnerabilities important, particularly where user permissions have grown over time and dormant accounts remain active.
Security specialists have long warned that on-premises SharePoint installations are harder to defend than cloud-managed environments because patching, monitoring, access control and server hardening remain the responsibility of the customer. SharePoint Online is not listed as affected by this server-side vulnerability, underscoring the divide between cloud-managed services and locally maintained infrastructure.
The technical root of CVE-2026-45659, deserialisation of untrusted data, is a known weakness category under CWE-502. These flaws arise when software accepts data structures from an untrusted source and reconstructs them without adequate validation. Attackers may be able to manipulate that process to trigger unintended behaviour, including command execution or the loading of malicious objects.
For enterprise defenders, the immediate priority is to confirm version status across all SharePoint farms, including development, staging, disaster recovery and legacy environments. Large organisations often maintain multiple SharePoint instances across departments, some of which may sit outside standard patch-management inventories. Externally exposed servers and systems integrated with identity providers, document workflows or third-party plug-ins deserve particular scrutiny.
Patch deployment should be paired with account reviews, least-privilege enforcement and log analysis for unusual activity by low-privileged accounts. Administrators should examine authentication patterns, file uploads, web requests and unexpected process activity on SharePoint servers. Where possible, servers should be placed behind tightly controlled access layers, with multi-factor authentication enforced for all users who can reach the platform.
The flaw also adds weight to a recurring concern in enterprise security: vulnerabilities that require authentication are often treated as secondary risks, even though attackers frequently obtain valid credentials through phishing, malware, password reuse or token theft. Once inside, a low-privileged account can become a useful entry point if exposed enterprise applications contain exploitable weaknesses.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
