Introduction
Microsoft's May 2026 Patch Tuesday addressed 120 flaws, and buried within that batch are six separate remote code execution vulnerabilities targeting SharePoint Server, all scored at CVSS 8.8. CVE-2026-40357 is one of two in that group that exploits insecure deserialization, allowing any authenticated user with basic Site Member permissions to execute arbitrary code on the server over the network.
For organizations running on premises SharePoint, this is a meaningful risk: the attack complexity is low, no user interaction is required, and the privilege bar is minimal. The combination of these factors with high impact across confidentiality, integrity, and availability makes this vulnerability worth understanding and patching promptly.
Technical Information
Root Cause: CWE-502 Deserialization of Untrusted Data
CVE-2026-40357 is classified under CWE-502, Deserialization of Untrusted Data. The core issue lies in how Microsoft Office SharePoint processes serialized data received from network requests. When SharePoint deserializes data without adequate validation or sanitization, an attacker can craft a malicious serialized payload that, upon deserialization, triggers arbitrary code execution on the server.
The vulnerable component is bound to the network stack, meaning exploitation does not require local access or adjacency to the target. It is remotely exploitable across one or more network hops.
CVSS Breakdown
The full CVSS 3.1 vector string is:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Breaking this down:
| Metric | Value | Meaning |
|---|---|---|
| Attack Vector | Network | Exploitable remotely |
| Attack Complexity | Low | Repeatable success without specialized conditions |
| Privileges Required | Low | Site Member permissions are sufficient |
| User Interaction | None | No victim action needed |
| Scope | Unchanged | Impact confined to the vulnerable component |
| Confidentiality | High | Full read access to server data |
| Integrity | High | Ability to modify server data |
| Availability | High | Ability to disrupt server operations |
Attack Flow
Based on the advisory details, the exploitation path follows this general sequence:
-
Authentication: The attacker obtains or already possesses valid credentials for the SharePoint environment. The minimum required privilege level is Site Member, which is a common, low tier role in most SharePoint deployments.
-
Payload Construction: The attacker crafts a malicious serialized object designed to execute arbitrary commands upon deserialization. The specific serialization format and endpoint are not publicly documented, but the CWE-502 classification confirms the deserialization pathway.
-
Network Delivery: The attacker sends the crafted payload to the vulnerable SharePoint Server endpoint over the network. No special network positioning or timing conditions are required (Attack Complexity: Low).
-
Deserialization and Execution: The SharePoint Server processes the incoming request and deserializes the attacker controlled data without sufficient validation. This triggers the execution of the embedded malicious code on the server, with the impact spanning full compromise of confidentiality, integrity, and availability.
Broader Context: A Cluster of SharePoint Deserialization Flaws
CVE-2026-40357 does not exist in isolation. The May 2026 patch cycle addressed six SharePoint RCE vulnerabilities, all with a CVSS score of 8.8:
| CVE | CVSS Score | Vulnerability Type |
|---|---|---|
| CVE-2026-33110 | 8.8 | Remote Code Execution |
| CVE-2026-33112 | 8.8 | Remote Code Execution |
| CVE-2026-35439 | 8.8 | Remote Code Execution (Deserialization) |
| CVE-2026-40357 | 8.8 | Remote Code Execution (Deserialization) |
| CVE-2026-40365 | 8.8 | Remote Code Execution |
| CVE-2026-40403 | 8.8 | Remote Code Execution |
The presence of two deserialization flaws (CVE-2026-35439 and CVE-2026-40357) in the same patch cycle suggests a systemic pattern in how SharePoint handles serialized data, rather than an isolated coding error.
Patch Information
Microsoft released official patches for CVE-2026-40357 on May 12, 2026, as part of the May 2026 Patch Tuesday cycle. The fix addresses how SharePoint handles deserialized data from untrusted sources, hardening the server side processing pipeline against malicious payloads.
Three separate security updates were published, each targeting a different supported SharePoint Server edition:
| Product | KB Article | Build Number | Replaces |
|---|---|---|---|
| SharePoint Server Subscription Edition | KB5002863 | 16.0.19725.20280 | KB5002853 |
| SharePoint Server 2019 | KB5002870 | 16.0.10417.20128 | KB5002854 |
| SharePoint Enterprise Server 2016 | KB5002868 | — | — |
Each KB package is cumulative. The Subscription Edition update (KB5002863) also addresses CVE-2026-33112, CVE-2026-33110, CVE-2026-40368, and CVE-2026-35439. The SharePoint Server 2019 update (KB5002870) covers additional CVEs including CVE-2026-40367 and CVE-2026-40365. Administrators should treat these as comprehensive rollups rather than single vulnerability patches.
Installation Methods
Microsoft provides three installation methods for each update:
- Microsoft Update: Automatic delivery when auto update is enabled.
- Microsoft Update Catalog: Standalone packages available for manual download (e.g., catalog entry for KB5002863).
- Microsoft Download Center: Direct download links such as KB5002863 for Subscription Edition and KB5002870 for SharePoint 2019.
Prerequisites and Caveats
One important prerequisite applies: if the environment runs SharePoint Workflow Manager, administrators must first install KB5002799 (the November 2025 Workflow Manager update) before applying any of these May 2026 cumulative updates. Failing to do so could break workflow functionality.
Environments still running the Classic version of Workflow Manager must enable a debug flag via PowerShell and run iisreset to maintain compatibility:
$farm.ServerDebugFlags.Add(53601) iisreset
Integrity Verification
The SHA-256 hash for the Subscription Edition package is:
E2B144E8C5F7F85F147EA3B553E5D5487685741D96E7E5E1951F0EC9AAF4BF20
This can be used to verify download integrity before deployment.
There are no alternative workarounds listed for this vulnerability. Applying the official patches is the only endorsed remediation path.
Affected Systems and Versions
The following on premises SharePoint Server editions are confirmed vulnerable:
| Product | Target Build After Patching |
|---|---|
| Microsoft SharePoint Server Subscription Edition | 16.0.19725.20280 |
| Microsoft SharePoint Server 2019 | 16.0.10417.20128 |
| Microsoft SharePoint Enterprise Server 2016 | 16.0.5552.1002 |
Any installation running a build number below the listed target is vulnerable and requires the corresponding KB update. The advisories focus exclusively on on premises server editions; specific details on whether SharePoint Online environments required backend patching by Microsoft are not documented in the available materials.
Vendor Security History
SharePoint Server accumulated six different Remote Code Execution vulnerabilities in the May 2026 patch cycle alone, all carrying an identical CVSS score of 8.8. Two of these six specifically involve deserialization of untrusted data (CVE-2026-40357 and CVE-2026-35439), indicating a concentrated area of weakness in SharePoint's serialization handling. This pattern suggests that security researchers and Microsoft's internal teams are actively auditing this attack surface, and organizations should expect continued attention to deserialization related flaws in future patch cycles.
The May 2026 Patch Tuesday addressed 120 flaws total across Microsoft's product portfolio, with no zero days reported. While the current exploitability assessment for CVE-2026-40357 is "Exploitation Less Likely," the concentration of similar vulnerabilities in a single release increases the likelihood that threat actors will reverse engineer the patches to identify exploitable code paths.
References
- CVE-2026-40357: Microsoft Security Update Guide
- CVE-2026-40357: NVD Detail
- CVE Record: CVE-2026-40357
- KB5002863: Security Update for SharePoint Server Subscription Edition
- KB5002870: Security Update for SharePoint Server 2019
- KB5002868: Security Update for SharePoint Enterprise Server 2016
- Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero days (BleepingComputer)
- Patch Tuesday May 2026 (Action1)
- Patch Tuesday May 2026 (PDQ)
- Microsoft Update Catalog: KB5002863
- Microsoft Download Center: KB5002863 for Subscription Edition
- Microsoft Download Center: KB5002870 for SharePoint 2019



