Patch SharePoint CVE-2026-45659 before CISA's July 4 KEV deadline

Editorial cover image for SharePoint CVE-2026-45659 KEV remediation.LinkLoot editorial
Editorial cover image for SharePoint CVE-2026-45659 KEV remediation.LinkLoot editorial
Tools & Apps

CISA added Microsoft SharePoint Server CVE-2026-45659 to the Known Exploited Vulnerabilities catalog on July 1, giving federal teams until July 4 to mitigate the actively exploited deserialization flaw.

CISA has added Microsoft SharePoint Server CVE-2026-45659 to the Known Exploited Vulnerabilities catalog. Confidence level: confirmed by CISA's KEV data, NVD, and Microsoft's vendor advisory reference. The urgent action is to identify affected on-prem SharePoint Server deployments, apply Microsoft's mitigations, and verify exposure before CISA's July 4, 2026 deadline.

What changed

CISA added CVE-2026-45659 to KEV on July 1, 2026. The entry describes a SharePoint Server deserialization of untrusted data vulnerability that allows an authorized attacker to execute code over a network.

NVD lists the issue as high severity with a Microsoft CNA CVSS 3.1 base score of 8.8. NVD also shows affected product lines for SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition, with fixed-version thresholds supplied in the CVE record.

ItemWhat to checkSource signalDeadline/statusCaveat
CVE-2026-45659SharePoint Server deserialization flawCISA KEV, NVD, MSRCAdded July 1; due July 4Requires authorized attacker per NVD wording
Affected estateSharePoint 2016, 2019, Subscription EditionNVD affected product dataPatch or mitigate nowConfirm exact build numbers locally
Exploitation statusActive exploitationCISA KEV and NVD CISA updateKEV priorityRansomware use is listed as unknown
Required actionVendor mitigation plus BOD 26-04 handlingCISA KEVJuly 4 for federal agenciesNon-federal teams should still prioritize

Key takeaways

  • CVE-2026-45659 is now a CISA KEV item, which means CISA has evidence of active exploitation.
  • The flaw affects Microsoft SharePoint Server, not generic Microsoft 365 collaboration workflows.
  • NVD lists the weakness as CWE-502, deserialization of untrusted data.
  • Federal civilian agencies have a July 4, 2026 KEV due date; private organizations should use the same urgency if SharePoint is exposed or business-critical.
  • Treat build verification, backup checks, and post-patch validation as part of the remediation, not optional cleanup.

Availability and access

The public sources identify the affected product family and reference Microsoft's advisory, but the MSRC page requires a JavaScript-capable browser for full interactive details. Security teams should use their normal Microsoft update channels, admin portals, or offline security update tooling to confirm applicable KBs and installed builds.

Start with internet-facing SharePoint, externally reachable VPN-adjacent SharePoint, and any tenant or partner environment where authenticated access is broad. Because the attacker is described as authorized, internal exposure and compromised low-privilege accounts still matter.

Practical LinkLoot angle

Do not wait for exploit writeups before acting on KEV entries. KEV is a prioritization signal: it says the vulnerability is known to be exploited, which should move it ahead of theoretical CVEs with higher headline scores but no active-use evidence.

Use this as a patch-management drill: inventory, patch or mitigate, verify build numbers, review logs, and document exceptions. For broader automation around security workflows, see LinkLoot's AI workflow guide: /guides/ai-workflow-automation.

What to verify before you act

  • Confirm whether you run SharePoint Enterprise Server 2016, SharePoint Server 2019, or SharePoint Server Subscription Edition.
  • Compare installed build numbers against Microsoft's advisory and your normal update source.
  • Check internet exposure, VPN exposure, partner access, and broad internal authenticated access.
  • Preserve relevant logs before major remediation if incident response may be needed.
  • Validate the patch or mitigation after deployment, then re-scan assets and close exceptions in your risk register.

Source check

Confirmed by:

  • CISA's KEV catalog lists CVE-2026-45659, Microsoft SharePoint Server, active exploitation evidence, the July 1 date added, and the July 4 due date.
  • NVD lists the CVE description, CVSS 3.1 score, Microsoft advisory reference, CISA KEV status, CWE-502, and affected SharePoint product lines.
  • Microsoft is referenced by NVD and CISA as the vendor advisory source through MSRC.

Context:

  • CISA BOD 26-04 explains the risk-based remediation framework referenced in the KEV required action. It is especially relevant for federal agencies, but the operating model is useful for any team triaging exploited vulnerabilities.
FAQ

It is a Microsoft SharePoint Server deserialization of untrusted data vulnerability that can allow an authorized attacker to execute code over a network.