ZeroPath at Black Hat USA 2026

Microsoft SharePoint Server CVE-2026-35439: Brief Summary of an Authenticated Deserialization RCE

A brief summary of CVE-2026-35439, a high severity deserialization vulnerability in Microsoft SharePoint Server that enables authenticated remote code execution. Includes patch details for all affected on premises editions.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-13

Microsoft SharePoint Server CVE-2026-35439: Brief Summary of an Authenticated Deserialization RCE
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A deserialization flaw in Microsoft SharePoint Server, patched in the May 2026 Patch Tuesday cycle, allows any authenticated user with site level privileges to execute arbitrary code on the underlying server over the network. With a CVSS 3.1 base score of 8.8 and no available workarounds, CVE-2026-35439 represents a significant risk for organizations running on premises SharePoint, particularly those with internet facing deployments where the authentication barrier is the only thing standing between an attacker and full code execution.

Technical Information

The vulnerability is classified under CWE-502: Deserialization of Untrusted Data. The root cause lies in how SharePoint Server processes serialized objects received over the network. When the server deserializes attacker controlled data without adequate validation, it opens a direct path to arbitrary code execution within the context of the SharePoint application process.

The full CVSS 3.1 vector string is:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Breaking this down:

MetricValueMeaning
Attack VectorNetwork (AV:N)Exploitable remotely over the network
Attack ComplexityLow (AC:L)No special conditions required
Privileges RequiredLow (PR:L)Standard site level authentication suffices
User InteractionNone (UI:N)No victim action needed
ScopeUnchanged (S:U)Impact confined to the vulnerable component
ConfidentialityHigh (C:H)Full read access to server data
IntegrityHigh (I:H)Full write access to server data
AvailabilityHigh (A:H)Complete denial of service possible

Authentication Requirements

The authentication bar for this vulnerability is notably low. According to the Zero Day Initiative's May 2026 security update review, anyone with site privileges possesses the necessary authentication to exploit the bug. Microsoft's own advisory specifies that an attacker authenticated as at least a Site Owner could write arbitrary code to execute remotely on the server. This does not require administrative or domain level credentials; a standard site level role is sufficient.

Attack Flow

Based on the available technical details, exploitation would proceed as follows:

  1. The attacker authenticates to the target SharePoint instance using any account with at least Site Owner privileges.
  2. The attacker crafts a malicious serialized payload designed to execute arbitrary commands upon deserialization.
  3. The attacker submits this payload to the vulnerable SharePoint endpoint over the network.
  4. The server processes the request and deserializes the untrusted data, causing the embedded code to execute with the privileges of the SharePoint application process.

Because the attack complexity is low and no user interaction is required, the entire chain from authentication to code execution can be performed programmatically without any special timing conditions or race windows.

Patch Information

Microsoft released official security updates on May 12, 2026, as part of the May 2026 Patch Tuesday cycle. The MSRC advisory confirms the remediation level as "Official Fix." No workarounds or alternative mitigations are available, and Microsoft has marked customer action as "Required" for all three affected products.

Available Patches

ProductKB ArticlePatched Build NumberReplaces
SharePoint Server Subscription EditionKB500286316.0.19725.20280KB5002853
SharePoint Server 2019KB500287016.0.10417.20128KB5002854
SharePoint Enterprise Server 2016KB500286816.0.5552.1002KB5002861

Each update is cumulative and also resolves several other CVEs bundled into the same release, including CVE-2026-40357, CVE-2026-33112, CVE-2026-33110, CVE-2026-40368, CVE-2026-40367, and CVE-2026-40365. A single installation per affected product covers all May 2026 SharePoint fixes.

Prerequisites

If your farm is running SharePoint Workflow Manager, you must first install the Workflow Manager update KB5002799 (released November 2025). Farms still using the Classic version of Workflow Manager also need to enable a debug flag post installation using the following PowerShell commands:

$farm = Get-SPFarm $farm.ServerDebugFlags.Add(53601) $farm.update() iisreset

Obtaining and Verifying Patches

Patches can be obtained through three channels: Microsoft Update (automatic delivery if auto updating is enabled), the Microsoft Update Catalog (standalone packages), or the Microsoft Download Center (direct download links).

After deployment, administrators should verify that the SharePoint build number matches or exceeds the patched build listed above for their respective product edition. As an additional hardening measure, organizations should review and constrain Site Owner privileges to reduce the potential attack surface, since these roles provide sufficient access to trigger the exploit.

Affected Systems and Versions

The following on premises Microsoft SharePoint Server editions are affected:

  • Microsoft SharePoint Server Subscription Edition (versions prior to build 16.0.19725.20280)
  • Microsoft SharePoint Server 2019 (versions prior to build 16.0.10417.20128)
  • Microsoft SharePoint Enterprise Server 2016 (versions prior to build 16.0.5552.1002)

Internet facing SharePoint instances are at elevated risk due to the network based attack vector combined with the low authentication requirement.

Vendor Security History

Microsoft addressed CVE-2026-35439 as part of a broader May 2026 Patch Tuesday release that fixed 120 vulnerabilities across Microsoft products, with no zero days reported in the batch. SharePoint has a documented history as a target for threat actors: in July 2025, Microsoft published a blog post detailing its efforts to disrupt active exploitation of on premises SharePoint vulnerabilities. While Microsoft currently assesses CVE-2026-35439 as "Exploitation Less Likely," the historical pattern of SharePoint vulnerabilities being weaponized after patch release suggests organizations should not delay remediation.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization