Introduction
A deserialization flaw in Microsoft SharePoint Server, patched in the May 2026 Patch Tuesday cycle, allows any authenticated user with site level privileges to execute arbitrary code on the underlying server over the network. With a CVSS 3.1 base score of 8.8 and no available workarounds, CVE-2026-35439 represents a significant risk for organizations running on premises SharePoint, particularly those with internet facing deployments where the authentication barrier is the only thing standing between an attacker and full code execution.
Technical Information
The vulnerability is classified under CWE-502: Deserialization of Untrusted Data. The root cause lies in how SharePoint Server processes serialized objects received over the network. When the server deserializes attacker controlled data without adequate validation, it opens a direct path to arbitrary code execution within the context of the SharePoint application process.
The full CVSS 3.1 vector string is:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Breaking this down:
| Metric | Value | Meaning |
|---|---|---|
| Attack Vector | Network (AV:N) | Exploitable remotely over the network |
| Attack Complexity | Low (AC:L) | No special conditions required |
| Privileges Required | Low (PR:L) | Standard site level authentication suffices |
| User Interaction | None (UI:N) | No victim action needed |
| Scope | Unchanged (S:U) | Impact confined to the vulnerable component |
| Confidentiality | High (C:H) | Full read access to server data |
| Integrity | High (I:H) | Full write access to server data |
| Availability | High (A:H) | Complete denial of service possible |
Authentication Requirements
The authentication bar for this vulnerability is notably low. According to the Zero Day Initiative's May 2026 security update review, anyone with site privileges possesses the necessary authentication to exploit the bug. Microsoft's own advisory specifies that an attacker authenticated as at least a Site Owner could write arbitrary code to execute remotely on the server. This does not require administrative or domain level credentials; a standard site level role is sufficient.
Attack Flow
Based on the available technical details, exploitation would proceed as follows:
- The attacker authenticates to the target SharePoint instance using any account with at least Site Owner privileges.
- The attacker crafts a malicious serialized payload designed to execute arbitrary commands upon deserialization.
- The attacker submits this payload to the vulnerable SharePoint endpoint over the network.
- The server processes the request and deserializes the untrusted data, causing the embedded code to execute with the privileges of the SharePoint application process.
Because the attack complexity is low and no user interaction is required, the entire chain from authentication to code execution can be performed programmatically without any special timing conditions or race windows.
Patch Information
Microsoft released official security updates on May 12, 2026, as part of the May 2026 Patch Tuesday cycle. The MSRC advisory confirms the remediation level as "Official Fix." No workarounds or alternative mitigations are available, and Microsoft has marked customer action as "Required" for all three affected products.
Available Patches
| Product | KB Article | Patched Build Number | Replaces |
|---|---|---|---|
| SharePoint Server Subscription Edition | KB5002863 | 16.0.19725.20280 | KB5002853 |
| SharePoint Server 2019 | KB5002870 | 16.0.10417.20128 | KB5002854 |
| SharePoint Enterprise Server 2016 | KB5002868 | 16.0.5552.1002 | KB5002861 |
Each update is cumulative and also resolves several other CVEs bundled into the same release, including CVE-2026-40357, CVE-2026-33112, CVE-2026-33110, CVE-2026-40368, CVE-2026-40367, and CVE-2026-40365. A single installation per affected product covers all May 2026 SharePoint fixes.
Prerequisites
If your farm is running SharePoint Workflow Manager, you must first install the Workflow Manager update KB5002799 (released November 2025). Farms still using the Classic version of Workflow Manager also need to enable a debug flag post installation using the following PowerShell commands:
$farm = Get-SPFarm $farm.ServerDebugFlags.Add(53601) $farm.update() iisreset
Obtaining and Verifying Patches
Patches can be obtained through three channels: Microsoft Update (automatic delivery if auto updating is enabled), the Microsoft Update Catalog (standalone packages), or the Microsoft Download Center (direct download links).
After deployment, administrators should verify that the SharePoint build number matches or exceeds the patched build listed above for their respective product edition. As an additional hardening measure, organizations should review and constrain Site Owner privileges to reduce the potential attack surface, since these roles provide sufficient access to trigger the exploit.
Affected Systems and Versions
The following on premises Microsoft SharePoint Server editions are affected:
- Microsoft SharePoint Server Subscription Edition (versions prior to build 16.0.19725.20280)
- Microsoft SharePoint Server 2019 (versions prior to build 16.0.10417.20128)
- Microsoft SharePoint Enterprise Server 2016 (versions prior to build 16.0.5552.1002)
Internet facing SharePoint instances are at elevated risk due to the network based attack vector combined with the low authentication requirement.
Vendor Security History
Microsoft addressed CVE-2026-35439 as part of a broader May 2026 Patch Tuesday release that fixed 120 vulnerabilities across Microsoft products, with no zero days reported in the batch. SharePoint has a documented history as a target for threat actors: in July 2025, Microsoft published a blog post detailing its efforts to disrupt active exploitation of on premises SharePoint vulnerabilities. While Microsoft currently assesses CVE-2026-35439 as "Exploitation Less Likely," the historical pattern of SharePoint vulnerabilities being weaponized after patch release suggests organizations should not delay remediation.
References
- MSRC Advisory: CVE-2026-35439
- NVD Detail: CVE-2026-35439
- KB5002863: Security update for SharePoint Server Subscription Edition
- KB5002870: Security update for SharePoint Server 2019
- KB5002868: Security update for SharePoint Enterprise Server 2016
- Zero Day Initiative: The May 2026 Security Update Review
- BleepingComputer: Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero days
- Microsoft Security Blog: Disrupting active exploitation of on premises SharePoint vulnerabilities
- Action1: Patch Tuesday May 2026
- Cybersecurity News: Microsoft Patch Tuesday May 2026



