What happened
CISA added CVE-2026-45659 to the Known Exploited Vulnerabilities catalog on July 1, 2026, confirming active in-the-wild exploitation. Microsoft issued an out-of-band patch for this deserialization RCE flaw. CISA set a federal agency remediation deadline of July 4, 2026 under BOD 26-04.
Why it matters
SharePoint Server is a foundational document store for enterprise RAG pipelines and Microsoft 365 Copilot knowledge bases. RCE on SharePoint in the context of an AI deployment means an attacker can poison the document corpus feeding enterprise AI agents, exfiltrate sensitive documents used in RAG retrieval, or pivot to the broader enterprise network from the SharePoint host. Confirmed active exploitation makes this an immediate threat to AI-integrated SharePoint deployments.
Attack vector
An authorized attacker (network-accessible, no admin required) exploits a deserialization of untrusted data vulnerability to execute arbitrary code on the SharePoint server over the network. CISA required federal agency remediation by July 4, 2026.
Affected systems
Microsoft SharePoint Server 2016, 2019, and Subscription Edition
Mitigation
Apply Microsoft's out-of-band security update immediately. MSRC advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45659. CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog