Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: oob-patch (1 article)Clear

Microsoft issues out-of-band SharePoint RCE patch CVE-2026-45659 for Subscription Edition, 2019, and 2016 servers

Microsoft has released an out-of-band patch for CVE-2026-45659, a remote code execution vulnerability in Microsoft SharePoint Server. The flaw is a deserialization issue and was reported privately by a researcher named MEOW; Microsoft says it is not currently aware of active exploitation but rates it 'less likely to be exploited.' Updates are available for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Last month's CVE-2026-32201 spoofing flaw was actively exploited and machine-key-theft attacks against SharePoint were widespread in 2025, so admins should treat this patch as priority despite the lower-likelihood rating.

Check
Inventory SharePoint deployments by edition (Subscription, 2019, 2016) and confirm patch level. Check for unusual deserialization activity in IIS logs since the patch ships.
Affected
Microsoft SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016 prior to the May 26 out-of-band updates.
Fix
Apply Microsoft's out-of-band CVE-2026-45659 patches across all SharePoint versions. Rotate machine keys after patching - prior SharePoint key-theft incidents enabled persistent post-patch access.