Microsoft has disclosed CVE-2026-35439, an Important-rated remote code execution vulnerability in on-premises SharePoint Server, patched in the May 12, 2026 security updates. The flaw stems from deserialization of untrusted data and requires authentication, but allows attackers who have any low-privilege SharePoint user account to execute arbitrary code on the server.

Affected versions include SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016. Administrators must apply the update immediately to prevent compromise.

Understanding CVE-2026-35439

CVE-2026-35439 arises from unsafe deserialization within SharePoint Server. When the platform processes serialized data from incoming requests without adequate validation, an attacker can craft a malicious payload that, when deserialized, triggers code execution in the context of the IIS worker process. Microsoft has classified this vulnerability with an “Important” severity rating—not “Critical”—because exploitation requires the attacker to be authenticated.

Deserialization vulnerabilities have plagued SharePoint for years. The platform’s reliance on .NET BinaryFormatter and other serializers in legacy Web Parts, workflows, and APIs provides a broad attack surface. In this case, a specific component deserializes user-supplied data without enforcing type restrictions, enabling an attacker to insert a gadget chain that eventually executes system commands.

Technical Impact and Attack Scenarios

After obtaining valid credentials—even those of a standard site visitor—an attacker can send a specially crafted request to the vulnerable endpoint. Successful exploitation yields remote code execution with the privileges of the SharePoint application pool account, typically a domain user with extensive local rights. From there, the attacker can:

  • Access and exfiltrate sensitive SharePoint data, including documents, lists, and configuration databases.
  • Pivot to other systems on the internal network using stolen credentials or pass-the-hash techniques.
  • Deploy ransomware or persistent backdoors on the SharePoint server.
  • Escalate privileges further by exploiting misconfigurations or other vulnerabilities.

Despite the authentication requirement, the threat is significant because SharePoint environments often have numerous users, and credential phishing or brute-force attacks can yield the necessary access. Moreover, organizations frequently expose SharePoint servers to the internet for hybrid work scenarios, increasing the risk of opportunistic attacks.

Why “Important” Instead of “Critical”?

Microsoft’s severity rating system considers both impact and attack vector. Critical vulnerabilities typically require no user interaction or authentication and allow wormable propagation. CVE-2026-35439 receives an Important rating because it cannot be exploited without valid credentials. However, this does not diminish the urgency for patching—authenticated RCEs are regularly weaponized by attackers who obtain credentials through other means.

Affected Versions and Patch Availability

Microsoft’s advisory confirms that the following on-premises SharePoint Server editions are affected:

  • SharePoint Server Subscription Edition
  • SharePoint Server 2019
  • SharePoint Server 2016

Security updates are available via Windows Update, Microsoft Update, and the Update Catalog. Organizations using automatic updating should receive the patch automatically. Those managing patching manually must download and install the specific cumulative update for their SharePoint version. As always, SharePoint Server patching requires running the SharePoint Products Configuration Wizard after applying the update to complete the upgrade process.

Microsoft 365 SharePoint Online customers are not impacted by this on-premises vulnerability.

Mitigation and Workarounds

For organizations unable to patch immediately, the only effective mitigation is to limit access to the vulnerable SharePoint web applications. This can include:

  • Restricting SharePoint access to trusted internal IP ranges via firewall rules or VPN requirements.
  • Disabling anonymous access and enforcing multi-factor authentication for all SharePoint users.
  • Monitoring for suspicious deserialization activity using endpoint detection and response (EDR) tools that can observe .NET runtime behavior.

Microsoft has not provided any temporary feature-level workarounds, such as disabling specific components, underscoring the necessity of applying the update.

Historical Context: SharePoint Deserialization RCEs

CVE-2026-35439 is the latest in a long line of deserialization-based remote code execution flaws in SharePoint. Past examples include CVE-2023-38146 (a zero-day exploited in the wild), CVE-2022-24480, and CVE-2020-1147. Each of these stemmed from insufficient validation of serialized data in various SharePoint services. The recurrence of such issues highlights a systemic challenge in securing complex enterprise platforms that must support legacy customization and integration.

Microsoft has improved the security of .NET serialization with features like SerializationBinder and the BinaryFormatter security guidance, but many SharePoint components still require careful review. Adversaries continue to target these weaknesses because of the high value of SharePoint data and its privileged position in corporate networks.

Detection and Monitoring

Security teams can detect exploitation attempts by focusing on the following signals:

  • IIS logs showing POST requests to SharePoint endpoints known to process deserialized data, particularly those with unusually large or base64-encoded bodies.
  • Windows event logs indicating the launch of unexpected processes (e.g., cmd.exe, powershell.exe) under the SharePoint application pool identity.
  • YARA or Sigma rules targeting known deserialization gadget chains frequently used in .NET RCE payloads.

The vulnerability may also be detected by behavioral analytics tools that flag abnormal process lineage or network connections from the SharePoint server to external IPs.

Securing SharePoint in 2026 and Beyond

While applying the patch is the immediate priority, organizations should also adopt a proactive security posture for SharePoint Server:

  • Regularly review and audit SharePoint permissions to minimize the number of privileged and service accounts.
  • Segment SharePoint servers from sensitive internal networks to limit lateral movement.
  • Employ application-aware WAF rules that can inspect and block malicious serialized payloads.
  • Keep an inventory of custom SharePoint solutions and Web Parts; remove or update any that use deprecated serialization methods.
  • Track Microsoft’s deprecation plans for on-premises SharePoint components and plan migration to modern alternatives where feasible.

The May 2026 security release addresses this and other vulnerabilities. CVE-2026-35439 is a stark reminder that on-premises SharePoint requires the same urgent patching diligence as any internet-facing enterprise application.

Take Action Now

CVE-2026-35439 is actively being monitored by threat intelligence groups, and while there are no confirmed reports of in-the-wild exploitation at the time of disclosure, the public availability of detailed information in the security update makes exploitation inevitable. Attackers often reverse-engineer patches to develop working exploits within days. SharePoint Server administrators should treat this with the same urgency as a Critical-rated vulnerability and apply the update during the next available maintenance window—or immediately if possible.

For detailed deployment guidance, consult the Microsoft Security Response Center advisory at the link below.