SharePoint RCE CVE-2026-45659 Patched by Microsoft

Microsoft Patches Critical SharePoint RCE Flaw CVE-2026-45659

Microsoft has released a patch for CVE-2026-45659, a remote code execution vulnerability affecting multiple versions of SharePoint Server. The flaw allows an authenticated attacker to execute arbitrary code on the underlying server without requiring elevated privileges beyond standard site access. For organizations running on-premises SharePoint deployments, this is a serious problem that needs immediate attention.

The patch covers SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016. If your organization runs any of these versions without auto-update policies enforced, you are currently exposed.

How the CVE-2026-45659 Remote Code Execution Vulnerability Works

SharePoint's server-side processing pipelines handle a wide range of user-supplied inputs, from document uploads to list item serialization. CVE-2026-45659 exploits a deserialization weakness in one of these pipelines. An attacker with authenticated access crafts a malicious payload that, when processed by the SharePoint server, triggers code execution in the context of the application pool identity.

No special administrative permissions are required. A standard SharePoint user account is enough to initiate the attack. That lowers the bar significantly and widens the potential attacker pool from targeted insiders to anyone who has obtained valid credentials through phishing or credential stuffing.

The attack does not require direct file system access or a separate exploit chain. One request, one payload, code running on your server.

What Developers and Admins Have at Risk

Running unpatched SharePoint exposes more than just document libraries. The application pool identity often has broad read/write access to configuration databases, user profile data, and file shares mounted on the server. Successful exploitation can lead to lateral movement into adjacent systems, credential harvesting from SharePoint's configuration database, and persistent backdoor installation via SharePoint features or timer jobs.

Organizations that use SharePoint as an intranet hub, an HR portal, or a document management system for sensitive contracts are particularly exposed. Data exfiltration from a compromised SharePoint instance can happen quietly, with no obvious indicators in standard access logs.

Hybrid SharePoint deployments that bridge on-premises servers with Microsoft 365 introduce additional risk. A compromised on-premises server with hybrid trust configured could be used to pivot toward cloud-side resources.

How to Protect Your SharePoint Deployment Against RCE Attacks

Apply the patch immediately. Microsoft has made updates available through Windows Server Update Services and the Microsoft Download Center for all affected versions. Prioritize this over your standard monthly patching cycle.

Beyond patching, several defensive steps reduce your exposure:

• Restrict SharePoint access to authenticated users with a legitimate business need. Remove stale accounts and guest access that has accumulated over time.
• Monitor application pool logs for unusual process spawning, outbound network connections from the SharePoint worker process, or unexpected file writes in the SharePoint root directories.
• Segment SharePoint servers from your internal network where possible. Limit which systems can initiate connections to and from the SharePoint host.
• Run a web vulnerability scan against your SharePoint instance to identify exposed endpoints and misconfigurations that compound the risk of flaws like this one. Scan your environment now at /scan.
• Review whether hybrid connectivity grants broader trust than operationally necessary and tighten those configurations.

Patching alone addresses CVE-2026-45659 specifically. Hardening the surrounding environment limits the damage if another vulnerability surfaces next month.

Frequently Asked Questions

Does CVE-2026-45659 affect SharePoint Online or Microsoft 365? No. This vulnerability affects on-premises SharePoint Server versions only. Microsoft 365 and SharePoint Online are managed by Microsoft and were not impacted.

Do attackers need admin rights to exploit this flaw? No. Standard authenticated user access to a SharePoint site is sufficient to trigger the exploit. This makes it easier to weaponize via compromised user credentials.

How do I verify my SharePoint Server has received the patch? Check the build version in SharePoint Central Administration under "Servers in Farm." Compare it against the patched build numbers listed in Microsoft's official security advisory for CVE-2026-45659.

Check whether your SharePoint deployment is properly patched and hardened by running a full scan at VibeWShield.