High-severity SharePoint RCE bug patched by Microsoft (CVE-2026-45659)
Microsoft patched CVE-2026-45659, a high-severity remote code execution vulnerability in SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016.
Microsoft has released patches for a high-severity remote code execution vulnerability (CVE-2026-45659) in SharePoint that may be exploited in low-complexity attacks. The flaw affects SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016.
CVE-2026-45659 stems from SharePoint deserializing untrusted data, and may be exploited by an authenticated attacker to execute code remotely on a vulnerable SharePoint Server instance – no user interaction required. The attack complexity is Low (AC:L) because the attacker only needs basic user-level access to the SharePoint site.
The vulnerability is rated high-severity with a CVSS score of 8.8. While authentication is required, the low complexity and lack of user interaction make it a significant risk for organizations running affected versions. Microsoft has not reported any active exploitation in the wild as of the patch release.
Organizations running affected SharePoint versions should apply the security update immediately. The patch is available through Microsoft's standard update channels, including Windows Update and the Microsoft Update Catalog. There are no known workarounds for this vulnerability.
This is the second SharePoint-related vulnerability patched by Microsoft in recent months, following CVE-2026-40361, a critical zero-click Outlook RCE. The deserialization flaw highlights the ongoing challenge of securing complex enterprise collaboration platforms against remote code execution attacks.
Administrators should prioritize patching SharePoint servers, especially those exposed to the internet or with many authenticated users. As with all security updates, testing in a non-production environment before broad deployment is recommended.
The new article from The Hacker News adds that the vulnerability, discovered by a researcher named MEOW, is a deserialization-of-untrusted-data flaw requiring only Site Member permissions (PR:L) to exploit. Microsoft assesses CVE-2026-45659 as less likely to be exploited but urges patching given the history of SharePoint bugs being weaponized. The article also notes that last month Microsoft fixed a separate SharePoint spoofing bug (CVE-2026-32201) that was exploited in the wild.
The Cyber Security News article adds specific technical details about the attack vector: any authenticated user with Site Member-level permissions can trigger the deserialization flaw over the network without requiring administrative privileges. It also provides the exact KB article numbers and build versions for each affected SharePoint edition, and recommends immediate mitigations such as auditing site membership permissions, monitoring for unusual deserialization activity, and isolating internet-facing SharePoint instances until patches are applied.