Microsoft Patched a Critical SharePoint RCE but Omitted the CVE from Official Documentation

On May 12, 2026, as part of its standard Patch Tuesday cycle, Microsoft distributed security updates for SharePoint Server without including CVE-2026-45659—a remote code execution (RCE) vulnerability with a CVSS score of 8.8—in the official documentation. This omission only surfaced in the following weeks, leaving administrators who rely on CVE lists to prioritize updates in the dark. Organizations that installed the May patches are protected without realizing it; however, those that delayed the update, deeming it non-critical, have left their on-premises servers exposed to a low-complexity network attack.

A Failure in the Disclosure Process

The issue is procedural rather than technical. According to Microsoft's updated advisory reported by Help Net Security, CVE-2026-45659 was "inadvertently omitted" from the May 2026 security update list. While the patch was present in the binaries distributed on May 12, the identifier was missing from the documentation administrators consult to assess update criticality.

This type of error, known in the industry as a "silent patch," breaks a critical link in the vulnerability disclosure supply chain: the correlation between an installed update and a mitigated risk. Organizations that apply patches automatically were protected unknowingly; those that perform risk-benefit assessments based on official CVE lists delayed installation, unknowingly exposing themselves to risk.

The Attack Mechanism: Low-Privilege Deserialization

The mechanism behind CVE-2026-45659 lies in the deserialization of untrusted data within Microsoft Office SharePoint. The server implicitly trusts serialized data received from authenticated users and processes it without sufficient verification, allowing for arbitrary code execution.

"Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network" — Microsoft MSRC, advisory CVE-2026-45659

The full attack vector, as documented in the Microsoft advisory with a CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H score, indicates network access (AV:N), low complexity (AC:L), low privileges (PR:L), and no user interaction required (UI:N). The impact is total across confidentiality, integrity, and availability. The decisive condition is that the attacker must be authenticated with Site Member permissions—the lowest level of collaborative access in SharePoint.

This attack profile makes the vulnerability particularly dangerous in two scenarios: environments with numerous internal users where the compromise of a single low-privilege account enables remote execution on the server, and situations where legitimate accounts have already been compromised via phishing or credential stuffing.

Affected Versions and Patch Identification

The vulnerability exclusively affects on-premises installations of SharePoint Server. The patched versions and their corresponding build numbers have been documented by Help Net Security: SharePoint Server Subscription Edition build 16.0.19725.20280 (KB5002863), SharePoint Server 2019 build 16.0.10417.20128 (KB5002870), and SharePoint Enterprise Server 2016 build 16.0.5552.1002 (KB5002868).

Microsoft support pages for each KB list the May 2026 updates but do not explicitly mention CVE-2026-45659 in the public text, confirming the documentation omission. However, the bug fix is included in the binary packages, as verified by the subsequent update to the MSRC advisory.

There is no evidence in the dossier that the vulnerability affects SharePoint Online or Microsoft 365; all sources converge on on-premises targets.

Verification and Mitigation

Priority actions for system administrators depend on the status of their May 2026 updates:

• Verify Patch Installation: Check for the presence of KB5002863, KB5002870, or KB5002868 on on-premises SharePoint servers. Those who have already installed the May updates require no further action, according to Microsoft and Help Net Security.
• Prioritize High-User Environments: In systems where numerous or untrusted users hold Site Member permissions, accelerate installation if not yet completed; the attack surface is directly proportional to the number of accounts with access.
• Inventory-CVE Correlation: Update patch management procedures to avoid relying exclusively on Microsoft's initial CVE lists, ensuring that retroactive revisions to MSRC advisories are also verified.
• Behavioral Monitoring: Monitor for anomalous activity from Site Member accounts that may indicate exploitation attempts, as the vector remains technically valid despite Microsoft's "Less Likely" exploitation rating.

Process Lessons: When Disclosure Fails

The CVE-2026-45659 incident is not an isolated case in Microsoft's vulnerability disclosure history. The dossier cites CVE-2026-32201—a SharePoint spoofing vulnerability with a CVSS of 6.5 that was actively exploited and added to the CISA KEV catalog—as historical context, demonstrating that SharePoint remains a recurring target for threat actors.

However, there is no infrastructure overlap between the two vulnerabilities: they involve different mechanisms (deserialization vs. spoofing), different severity levels, and there is no indication that CVE-2026-45659 has been exploited or shares infrastructure with CVE-2026-32201. The mention of CVE-2026-32201 serves only to frame the platform's historical risk profile.

The May 2026 omission raises structural questions about the reliability of CVE lists as the sole input for security decisions. When a vendor fails to catalog a flaw with total impact on CIA (Confidentiality, Integrity, Availability), organizations with mature but rigid processes become secondary victims of a process failure, not a technological one.

Discovery and Attribution

The vulnerability was identified and reported by a researcher known by the moniker "MEOW," as documented by The Hacker News and Security Affairs. The dossier contains no information regarding the researcher's real identity or any bug bounty rewards. While Microsoft classified exploitation as "Less Likely" and has not detected public exploit code, this assessment does not eliminate the risk for unpatched systems.

The researcher has not published technical details of the payload or the deserialization gadget chain, and the dossier does not contain such information. This limitation prevents the construction of specific indicators of compromise (IoCs) but does not reduce the criticality of the vulnerability for exposed systems.

Information has been verified against the cited sources and is current as of the time of publication.

Sources

• https://thehackernews.com/2026/05/microsoft-patches-sharepoint-rce-flaw.html
• https://krebsonsecurity.com/2026/04/patch-tuesday-april-2026-edition/
• https://www.it-connect.tech/microsoft-patches-sharepoint-rce-flaw-cve-2026-45659/
• https://thomasharris6.wordpress.com/2026/05/26/microsoft-patches-sharepoint-rce-flaw-cve-2026-45659-across-server-versions/
• https://www.helpnetsecurity.com/2026/05/26/sharepoint-vulnerability-cve-2026-45659/
• https://securityaffairs.com/192730/security/microsoft-sharepoint-has-a-new-rce-flaw-if-you-havent-patched-yet-go-do-that.html
• https://petri.com/microsoft-fixes-sharepoint-rce-flaw-on-prem-servers/
• https://www.cve.org/CVERecord?id=CVE-2026-32201
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45659
• https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-sharepoint-server-subscription-edition-may-12-2026-kb5002863-91158c5e-7155-47f8-86c2-9f8924cbfa12
• https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-sharepoint-server-2019-may-12-2026-kb5002870-78ccf6f5-7506-42f1-b459-70c6d6d122da
• https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-sharepoint-server-2016-may-12-2026-kb5002868-5cc10216-f312-4ded-86d2-4940b3a1fded