CVE-2026-45484: Microsoft SharePoint Elevation of Privilege Vulnerability

Overview

Severity

High (CVSS 8.8)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Elevation of Privilege

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2026-Jun

Released

2026-06-09

Description

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to elevate privileges over a network.

FAQ

How could an attacker exploit the vulnerability? An authenticated attacker with access to the domain could perform remote code execution on the SharePoint server to elevate themselves to SharePoint admin. What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker who successfully exploited this vulnerability could gain administrator privileges. I am running SharePoint Server 2016. Do the updates for SharePoint Enterprise Server 2016 also apply to the version I am running? Yes. The same KB number applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016. Customers running either version should install the security update to be protected from this vulnerability.

Affected Products (3)

Microsoft Office

• Microsoft SharePoint Enterprise Server 2016
• Microsoft SharePoint Server 2019
• Microsoft SharePoint Server Subscription Edition

Security Updates (3)

• 5002880
• 5002874
• 5002873

Acknowledgments

Kentaro Kawane with <a href="https://gmo-cybersecurity.com/">GMO Cybersecurity by Ierae, Inc.</a>, hamayanhamayan, hamayanhamayan

Revision History

• 2026-06-09: Information published.