Microsoft has patched CVE-2026-45659, a SharePoint Server remote code execution flaw that an authenticated attacker could exploit over the network with only Site Member permissions.
Source: The Hacker News — https://thehackernews.com/2026/05/microsoft-patches-sharepoint-rce-flaw.html
Microsoft rates the bug as Important, with a CVSS score of 8.8. The company says exploitation is “less likely,” but that should not lower the patch priority for exposed or broadly used SharePoint deployments. The permission bar is low, the target is central, and SharePoint has a long record of becoming useful infrastructure for attackers once a working exploit path exists.
What Microsoft fixed#
CVE-2026-45659 is described by Microsoft as a deserialization of untrusted data issue in Microsoft Office SharePoint. In practical terms, the concern is not just application compromise. Microsoft says an authorized attacker could execute code remotely on the SharePoint Server.
The advisory language matters. Microsoft says the flaw can be triggered in a network-based attack by an authenticated user with minimum Site Member permissions. The attacker does not need administrator rights or other elevated privileges.
That makes the bug operationally different from vulnerabilities that require a privileged SharePoint role, local access, or a special deployment condition. A compromised low-privilege account may be enough to start the chain, depending on the target environment and whether the affected server has been patched.
Microsoft credited a researcher named MEOW for discovering and reporting the vulnerability.
Affected versions and update scope#
The Hacker News report says Microsoft released updates for:
- SharePoint Server Subscription Edition
- SharePoint Enterprise Server 2016
Organizations running these versions should treat the update as a server-side priority, especially where SharePoint is reachable from broad internal networks, partner access paths, VPN users, or internet-facing configurations.
The source material does not state that SharePoint Server 2019 is affected, does not list build numbers, and does not provide exploit code, indicators of compromise, or telemetry showing active attacks. Those gaps should be preserved. This is a patch notice with meaningful risk, not confirmed mass exploitation.
Why this matters even without active exploitation#
Authenticated RCEs often sit in an uncomfortable middle ground. They are not as immediately alarming as unauthenticated internet-facing bugs. They are also not harmless.
SharePoint usually holds documents, workflows, internal lists, identity-linked permissions, and integrations with the rest of a Microsoft environment. A remote code execution path on the server can become a pivot point, not just a data access problem.
The low privilege requirement is the key detail. Many organizations have large numbers of Site Members across departments, contractors, and project spaces. If one of those accounts is phished, stolen through infostealer logs, or misused by an insider, the vulnerability could give an attacker a stronger foothold than the account itself should allow.
That is why “authenticated” should not be read as “low risk.” In enterprise environments, valid credentials are one of the most common attacker assets.
What not to overclaim#
There is no statement in the provided source that CVE-2026-45659 is being exploited in the wild. Microsoft reportedly says exploitation is less likely. That is relevant and should be included in any risk call.
It is also not the same bug as the SharePoint spoofing vulnerability Microsoft patched last month, which The Hacker News identifies as CVE-2026-45660 with a CVSS score of 6.5 and notes had been exploited in the wild. The comparison is useful only as context: SharePoint flaws keep attracting real attacker attention. It does not prove this new RCE is already in use.
The safe reading is narrower: Microsoft patched a high-scoring SharePoint RCE reachable by low-privilege authenticated users, and organizations should update before attacker interest catches up.
Practical checks for defenders#
Patch first. This is the simplest useful action if the organization runs the affected SharePoint versions.
After that, review the exposure model. A SharePoint server reachable from the internet, a large VPN population, or broad partner access deserves faster handling than a tightly segmented internal instance with limited users. Both should be patched, but sequencing matters when teams have too many fixes in flight.
Security teams should also check:
- which SharePoint Server versions are deployed
- whether Subscription Edition or SharePoint Enterprise Server 2016 systems are still active
- whether those systems are internet-facing or reachable from remote-access networks
- how many low-privilege Site Members exist on sensitive sites
- whether recent authentication logs show unusual access from new geographies, devices, or impossible travel patterns
- whether server logs show abnormal requests from ordinary Site Member accounts after patch release
The source does not provide known indicators, so defenders should avoid hunting for fake precision. Start with access patterns, account behavior, server-side anomalies, and patch validation.
The real risk is permission drift#
The technical flaw is deserialization. The enterprise risk is permission sprawl.
SharePoint environments often age badly. Sites multiply. Membership groups survive old projects. Contractors remain in access lists. Internal users accumulate permissions because removing access is politically harder than granting it.
A vulnerability that only needs Site Member permissions lands directly on that weakness. The attacker does not need the most powerful account in the company. They need one useful account in the right place, then a vulnerable server.
That is the practical lesson from CVE-2026-45659. Patch the bug, but also look at the blast radius created by ordinary SharePoint membership. Low privilege is only low risk when the platform enforces a hard boundary behind it.