Description
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to elevate privileges over a network.
Published: 2026-06-09
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a flaw in the deserialization of untrusted data in Microsoft Office SharePoint. Because the deserialization path is available to users who have authorized access, an adversary with such access may craft malicious data that is processed by SharePoint and thereby increase the privileges they hold on the network. This is a pure privilege‑escalation issue; no other security properties are explicitly affected in the description.

Affected Systems

Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, and Microsoft SharePoint Server Subscription Edition are listed as affected. Version details are not specified in the CNA data, so all known releases of the mentioned products carry the same risk until a patch is applied.

Risk and Exploitability

The CVSS score of 8.8 places the flaw in the high‑severity range. The EPSS score is not available, which means there is no public information about exploitation frequency, and the vulnerability does not appear in the CISA KEV catalog. The attack requires an attacker who already has some form of authorized SharePoint access; the flaw is activated when that authorized user submits crafted data over the network that is then deserialized by SharePoint.

Generated by OpenCVE AI on June 9, 2026 at 19:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft security update that addresses CVE-2026-45484 (see Microsoft update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45484).
  • After patching, enforce least‑privilege permissions on SharePoint sites and user accounts to reduce the potential impact of any remaining or future deserialization weaknesses.
  • Continuously monitor SharePoint audit logs for anomalous deserialization or privilege‑elevation activity and investigate any suspected incidents promptly.

Generated by OpenCVE AI on June 9, 2026 at 19:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to elevate privileges over a network.
Title Microsoft SharePoint Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Weaknesses CWE-502
CPEs cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Sharepoint Server Sharepoint Server 2016 Sharepoint Server 2019
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-10T10:15:46.278Z

Reserved: 2026-05-12T16:07:22.617Z

Link: CVE-2026-45484

cve-icon Vulnrichment

Updated: 2026-06-10T10:15:41.715Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:22.883

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-45484

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T23:00:13Z

Weaknesses