CVE-2026-45659 is a remote code execution (RCE) vulnerability affecting Microsoft SharePoint On-Premises, caused by a flaw in how SharePoint handles .NET deserialization. Microsoft patched it on 21 May 2026, and if you manage a SharePoint Server 2016, 2019, or Subscription Edition environment, this is one to take seriously.
We sat down with GTconsult Security Analyst Kyle Farr to unpack what this vulnerability actually means, why it is more dangerous than last month's SharePoint spoofing flaw (CVE-2026-32201), and exactly what to do about it. Here is the full breakdown.
What Is CVE-2026-45659?
CVE-2026-45659 is a flaw in the way Microsoft SharePoint On-Premises servers handle .NET deserialization. In plain terms, SharePoint accepts requests from users and systems, and those requests arrive in a compressed, packaged format. Before SharePoint can act on a request, it needs to unpack it, a process called deserialization.
Attackers found a way to craft that package so that the unpacking process itself forces the server to run code it was never meant to run. Once that happens, the attacker can execute commands as the SharePoint service account, which means they effectively gain control over part of your environment.
Microsoft has rated CVE-2026-45659 as Important severity with a CVSS score of 8.8. Exploitation requires the attacker to first authenticate to the server, but only with a standard Site Member permission. No administrator rights and no user interaction are needed once that access is in place.
Why Deserialization Keeps Showing Up in SharePoint Vulnerabilities
Deserialization has been the root cause behind several recent SharePoint CVEs, and it is a useful concept to understand even if you are not technical. Kyle's way of putting it: imagine someone hands you a box of old books for your home. The box looks completely normal. What you do not know is that a small colony of cockroaches is hiding inside. The moment you open the box, they make their way into your home through the cracks, and before long you have an infestation.
That is roughly what happens here. A request that looks like ordinary SharePoint traffic carries something harmful inside it, and the act of opening or unpacking that request is what allows the problem in.
SharePoint RCE vs Spoofing: Why CVE-2026-45659 Is More Dangerous
Last month's vulnerability, CVE-2026-32201, was a spoofing flaw, which relies on tricking a person. An attacker pretends to be someone else, often to commit fraud or to harvest real credentials through social engineering. It still requires a human to be fooled somewhere along the way.
Remote code execution skips that step entirely. Once an attacker has the required access, no one needs to be tricked into anything else. The attacker sends crafted code directly to the server, and the server runs it. That direct path is why RCE vulnerabilities are treated as far more serious than spoofing flaws.
Who Is Affected: The Site Member Permission Risk
One of the more unsettling details Kyle pointed out is that this exploit does not require special access beyond standard authentication. A Site Member permission, which sits roughly in the middle between read only access and full admin rights, is enough. That happens to be the default permission level for most people in a typical SharePoint environment.
This does not necessarily mean the threat comes from inside your organisation on purpose. Entry points can include a disgruntled employee, a compromised laptop being used without its owner's knowledge, or someone being socially engineered into running a command they were told was harmless. It can also include an external attacker who has already obtained valid credentials through phishing, malware, or password reuse. The common thread is that the access required to exploit this is access that most of your users, or a single compromised account, already have.
Which SharePoint Versions Are Affected by CVE-2026-45659?
This vulnerability affects SharePoint On-Premises only. If you are on SharePoint Online, you are not affected by this particular CVE.
• SharePoint Server 2016 (and SharePoint Enterprise Server 2016, which uses the same security update)
• SharePoint Server 2019
• SharePoint Subscription Edition
Earlier reporting on this CVE referenced SharePoint 2013 as affected. Microsoft's confirmed advisory lists Server 2016, Server 2019, and Subscription Edition as the in-scope versions. If you are running SharePoint 2013, it reached end of support some time ago and no longer receives security updates of any kind, which is reason enough on its own to plan a move to a supported edition.
The 14 July 2026 SharePoint End of Support Deadline
This vulnerability lands at an awkward time for anyone still running older SharePoint On-Premises versions. Mainstream support for SharePoint Server 2016 and 2019 ends on 14 July 2026. After that date, organisations still running those versions will no longer receive security updates, which means future vulnerabilities like this one will go unpatched.
If your organisation relies heavily on SharePoint and downtime feels too risky to plan a migration, it is worth remembering that the risk works both ways. Staying on an unsupported version carries its own quiet, growing cost.
How to Protect Your SharePoint Environment Right Now
1. Patch immediately. The security update for CVE-2026-45659 was released on 21 May 2026. If you have not applied it yet, this is the first thing to do.
2. Monitor your environment. Watch your SharePoint logs for anything related to deserialization, and keep an eye on the processes running under your SharePoint service account. Unusual or unexpected processes are often the first sign that something has gone wrong.
3. Review your permissions. Move towards a zero trust approach where people and service accounts only have access to what they actually need. Avoid granting broad Site Member or higher permissions out of convenience.
If you are running anything older than SharePoint 2019, it is a good time to start planning your move to Subscription Edition, particularly with support for 2016 and 2019 ending on 14 July 2026.
Frequently Asked Questions About CVE-2026-45659
How do I fix CVE-2026-45659?
Apply Microsoft's security update released on 21 May 2026 for your SharePoint version. If you are unsure which update applies to your farm, GTconsult can help you confirm the correct KB and validate your patch status.
Is SharePoint Online affected by CVE-2026-45659?
No. CVE-2026-45659 only affects SharePoint On-Premises (Server 2016, 2019, and Subscription Edition). SharePoint Online is not affected.
What is the CVSS score of CVE-2026-45659?
CVE-2026-45659 has a CVSS score of 8.8 and is rated Important severity by Microsoft.
Does CVE-2026-45659 require authentication to exploit?
Yes. Unlike a fully unauthenticated attack, exploitation requires the attacker to already have valid credentials with at least Site Member permissions on the target SharePoint site. No administrator privileges or user interaction are required beyond that.
Has CVE-2026-45659 been exploited in the wild?
Microsoft has assessed exploitation as less likely at this time, and there is no public proof-of-concept exploit available. That said, SharePoint deserialization and RCE flaws have been weaponised quickly in the past, so patching promptly is still strongly recommended.
Not Sure Where Your SharePoint Environment Stands?
Not every organisation has a dedicated SharePoint or security specialist on hand, and that is exactly where GTconsult can help. We know SharePoint back to front and offer security assessments to help you understand exactly where your environment stands and what to prioritise.
Watch the full conversation with Kyle Farr on YouTube (or right at the top of this blog) for the complete breakdown, read our coverage of last month's SharePoint spoofing vulnerability (CVE-2026-32201), or get in touch with GTconsult to talk through your SharePoint environment.
For the official technical advisory, see CVE-2026-45659 on the National Vulnerability Database.