Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions

Source: The Hacker News

Overview

Microsoft has released updates that fix a remote code execution (RCE) vulnerability in SharePoint. The flaw, tracked as CVE‑2026‑45659, has a CVSS score of 8.8 and is classified with an Important severity.

Vulnerability details

• Type: Deserialization of untrusted data in Microsoft Office SharePoint.
• Impact: An authenticated attacker can execute code over the network.
• Required privileges: Minimum “Site Member” permissions (PR:L); no administrator or elevated rights are needed.
• Attack vector: Network‑based; the attacker must be authenticated to the SharePoint site.

“Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network,” Microsoft stated in its advisory.

The vulnerability was discovered and reported by researcher MEOW.

Affected versions

Updates have been released for the following SharePoint products:

• SharePoint Server Subscription Edition
• SharePoint Server 2019
• SharePoint Enterprise Server 2016

Related vulnerability

In April 2026, Microsoft also issued patches for a spoofing vulnerability affecting SharePoint Server, identified as CVE‑2026‑32201 (CVSS 6.5). That flaw has been observed in the wild.

Applying the latest updates is strongly recommended to mitigate the risk posed by CVE‑2026‑45659 and to maintain the security of SharePoint deployments.