CVE-2026-35439 Overview
CVE-2026-35439 is a deserialization of untrusted data vulnerability [CWE-502] in Microsoft Office SharePoint. An authenticated attacker can send crafted serialized data over the network to trigger arbitrary code execution on the SharePoint server. The flaw affects multiple supported releases, including SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016 Enterprise. Successful exploitation compromises confidentiality, integrity, and availability of the target environment. Microsoft published the advisory on May 12, 2026, and updated it on May 13, 2026.
Critical Impact
An authorized network attacker can achieve remote code execution on SharePoint servers, enabling lateral movement, data theft, and persistence within the collaboration platform.
Affected Products
- Microsoft SharePoint Server Subscription Edition
- Microsoft SharePoint Server 2019
- Microsoft SharePoint Server 2016 Enterprise
Discovery Timeline
- 2026-05-12 - CVE-2026-35439 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-35439
Vulnerability Analysis
The vulnerability resides in SharePoint's handling of serialized objects submitted through network-accessible endpoints. SharePoint accepts serialized payloads and reconstructs them into .NET objects without sufficient type validation. An authenticated user with low privileges can submit a malicious gadget chain that triggers code execution during deserialization. The attack does not require user interaction and runs in the context of the SharePoint application pool identity. Because SharePoint farms commonly hold sensitive enterprise data and integrate with identity providers, post-exploitation impact extends beyond the affected host.
Root Cause
The root cause is unsafe deserialization of attacker-controlled data, classified under [CWE-502]. SharePoint does not enforce strict type binding or allow-listing on incoming serialized objects, permitting gadget chains in referenced assemblies to execute arbitrary methods during object graph reconstruction.
Attack Vector
The attack vector is network-based and requires valid authentication to the SharePoint instance. An attacker authenticates with low-privileged credentials, then submits a crafted serialized payload to a vulnerable endpoint. The deserialization routine invokes attacker-chosen methods, leading to command execution under the SharePoint service account. No user interaction is required, and the attack complexity is low.
No verified public proof-of-concept code is available at the time of publication. Refer to the Microsoft Security Update Guide for technical specifics released by the vendor.
Detection Methods for CVE-2026-35439
Indicators of Compromise
- Unexpected child processes spawned by w3wp.exe running under the SharePoint application pool identity, such as cmd.exe, powershell.exe, or rundll32.exe.
- Anomalous POST requests to SharePoint endpoints containing serialized .NET object signatures (for example, base64 payloads beginning with AAEAAAD).
- New scheduled tasks, services, or web shells created on SharePoint front-end or application servers.
- Outbound network connections from SharePoint servers to unfamiliar external hosts following authenticated HTTP traffic.
Detection Strategies
- Inspect IIS logs for authenticated POST requests to SharePoint handlers carrying unusually large or binary-encoded payloads.
- Monitor Windows Event Logs and Sysmon for process creation events where w3wp.exe is the parent of a command interpreter or scripting host.
- Correlate authentication events with subsequent process or file system changes on SharePoint servers to identify chained activity.
Monitoring Recommendations
- Forward SharePoint, IIS, and Windows security logs to a centralized analytics platform for behavioral correlation.
- Baseline normal SharePoint service account behavior and alert on deviations such as registry modifications or credential access.
- Continuously monitor for newly created .aspx, .ashx, or .asmx files in SharePoint web directories that were not deployed by administrators.
How to Mitigate CVE-2026-35439
Immediate Actions Required
- Apply the Microsoft security update referenced in the Microsoft Security Update Guide to all affected SharePoint Server instances.
- Audit SharePoint user accounts and remove or reduce privileges for accounts that do not require write or contributor access.
- Restrict network access to SharePoint front-end servers using firewall rules and reverse proxies that enforce authentication and rate limiting.
- Rotate credentials and review service account permissions for SharePoint application pools after patching.
Patch Information
Microsoft has released security updates for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016 Enterprise. Administrators should consult the Microsoft Security Update Guide for the specific KB articles and download packages applicable to each version. Apply updates to all servers in the farm and follow Microsoft's prescribed PSConfig or upgrade sequence after installation.
Workarounds
- Limit authenticated access to SharePoint to trusted internal networks via VPN or zero-trust network access until patches are applied.
- Enable and tune the Antimalware Scan Interface (AMSI) integration on SharePoint servers to inspect runtime payloads.
- Increase logging verbosity on SharePoint and IIS to capture full request bodies for forensic review during the remediation window.
# Configuration example: enforce least privilege on SharePoint site collections
Set-SPUser -Identity "DOMAIN\user" -Web https://sharepoint.example.com -AddPermissionLevel "Read"
Remove-SPUser -Identity "DOMAIN\user" -Web https://sharepoint.example.com -PermissionLevel "Contribute"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
