Introduction
A deserialization flaw in Microsoft SharePoint Server, patched in the May 2026 Patch Tuesday cycle, allows any authenticated user with basic Site Member permissions to execute arbitrary code remotely on the server. With a CVSS 3.1 base score of 8.8 and high impact across confidentiality, integrity, and availability, CVE-2026-33110 is one of six Remote Code Execution vulnerabilities addressed in SharePoint this month, arriving just weeks after a separate SharePoint zero day (CVE-2026-32201) was confirmed exploited in the wild during April 2026.
Technical Information
The root cause of CVE-2026-33110 is deserialization of untrusted data, classified under CWE-502. In .NET applications like SharePoint, deserialization vulnerabilities arise when the application accepts serialized objects from user controlled input and reconstructs them without adequate validation. If an attacker can supply a crafted serialized payload, the deserialization process can instantiate arbitrary objects and trigger code execution on the server.
The vulnerability is network accessible (Attack Vector: Network) and has low attack complexity, meaning an attacker does not need specialized knowledge of the target environment to achieve repeatable exploitation. The CVSS 3.1 vector string provided by Microsoft is: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, reflecting high impact across confidentiality, integrity, and availability.
A key characteristic of this flaw is the privilege requirement. The attacker must be authenticated, but only needs Site Member permissions, which is the default permission level granted to standard users in most SharePoint deployments. No user interaction is required; the vulnerable server can be compromised solely at the attacker's initiative without any action from a victim or administrator.
Attack Flow
From an attack flow perspective, exploitation would proceed as follows:
- The attacker authenticates to the target SharePoint server using valid credentials with at least Site Member level access.
- The attacker crafts a malicious serialized payload targeting the vulnerable deserialization endpoint within SharePoint.
- The attacker sends the payload over the network to the SharePoint server.
- The server deserializes the untrusted data without proper validation, causing the attacker's code to execute in the context of the SharePoint application.
- Depending on the server configuration and service account privileges, the attacker may achieve full control over the SharePoint server, access sensitive documents, pivot laterally within the network, or establish persistence.
The specific vulnerable component within SharePoint has not been publicly disclosed by Microsoft, and no public proof of concept exploit payloads are available at this time. The impact ratings (High for confidentiality, integrity, and availability) indicate that successful exploitation grants the attacker substantial control over the affected system.
Patch Information
Microsoft has released official patches for all supported on premises editions of SharePoint Server. There are no workarounds; applying the patch is the only vendor recommended mitigation. The MSRC advisory marks the Remediation Level as Official Fix with a Customer Action status of Required, meaning Microsoft considers this a mandatory security update.
The following Knowledge Base updates address CVE-2026-33110:
| Product | KB Article | Patched Build | Replaces |
|---|---|---|---|
| SharePoint Server Subscription Edition | KB5002863 | 16.0.19725.20280 | KB5002853 |
| SharePoint Server 2019 | KB5002870 | 16.0.10417.20128 | KB5002854 |
| SharePoint Enterprise Server 2016 | KB5002868 | 16.0.5552.1002 | KB5002861 |
These cumulative updates are distributed through three channels: Microsoft Update (automatic delivery when automatic updates are enabled), the Microsoft Update Catalog (for manual standalone package download), and the Microsoft Download Center (direct download links). To verify successful patching, administrators should check their SharePoint build number against the patched builds listed above.
Workflow Manager Prerequisite
All three KB articles warn that if your farm currently runs SharePoint Workflow Manager, you must first install the Workflow Manager update (KB5002799) before applying the May 2026 cumulative update. For farms running the Classic version of Workflow Manager, a debug flag must also be enabled post installation using the following PowerShell commands:
$farm = Get-SPFarm $farm.ServerDebugFlags.Add(53601) $farm.update() iisreset
Additional Notes
These cumulative updates are superseding patches: KB5002863 replaces KB5002853, KB5002870 replaces KB5002854, and KB5002868 replaces KB5002861. If you skipped the previous month's update, the May 2026 patch includes those prior fixes as well. The same KB number (KB5002868) applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016, covering both editions with a single update.
Affected Systems and Versions
The following Microsoft SharePoint Server products are affected:
| Product | Severity | Patched Build |
|---|---|---|
| Microsoft SharePoint Enterprise Server 2016 | Important | 16.0.5552.1002 |
| Microsoft SharePoint Server 2019 | Important | 16.0.10417.20128 |
| Microsoft SharePoint Server Subscription Edition | Important | 16.0.19725.20280 |
All on premises installations of these SharePoint Server editions running builds prior to the patched versions listed above are vulnerable. The vulnerability requires network access and authentication with at least Site Member permissions.
Vendor Security History
SharePoint has been a frequent subject of security advisories from Microsoft. In the May 2026 Patch Tuesday release alone, Microsoft addressed six distinct Remote Code Execution vulnerabilities in SharePoint, all rated with a CVSS score of 8.8. This concentration of high severity flaws in a single product within one patch cycle is notable.
More concerning is the recent history of active exploitation. During the April 2026 Patch Tuesday cycle, CVE-2026-32201, a different SharePoint vulnerability, was confirmed as being exploited in the wild as a zero day. This pattern of recurring critical SharePoint vulnerabilities, combined with demonstrated attacker interest, reinforces the need for organizations to treat SharePoint patching as a high priority activity.
The broader May 2026 Patch Tuesday addressed 120 vulnerabilities across the Microsoft ecosystem, though none were zero days exploited in the wild at the time of release.
References
- CVE-2026-33110: Microsoft Security Response Center Advisory
- CVE-2026-33110: NVD Entry
- KB5002863: SharePoint Server Subscription Edition Security Update
- KB5002870: SharePoint Server 2019 Security Update
- KB5002868: SharePoint Enterprise Server 2016 Security Update
- Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero days (Bleeping Computer)
- Patch Tuesday May 2026 (PDQ)
- Microsoft's April 2026 Patch Tuesday Addresses 163 CVEs (Tenable)
- Microsoft's May 2026 Patch Tuesday (Tenable)
- The May 2026 Security Update Review (Zero Day Initiative)



