CVE-2026-40365 Overview
CVE-2026-40365 is a remote code execution vulnerability in Microsoft Office SharePoint Server caused by insufficient granularity of access control [CWE-1220]. An authenticated attacker with low privileges can leverage coarse-grained authorization checks to execute arbitrary code on the SharePoint server over a network. The flaw affects SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016 Enterprise.
Microsoft published the advisory through the Microsoft Security Response Center (MSRC) and addressed the issue in scheduled security updates. The vulnerability does not require user interaction and impacts confidentiality, integrity, and availability of the affected SharePoint instance.
Critical Impact
An authenticated attacker can execute arbitrary code on a SharePoint Server with full impact to confidentiality, integrity, and availability of the host.
Affected Products
- Microsoft SharePoint Server Subscription Edition
- Microsoft SharePoint Server 2019
- Microsoft SharePoint Server 2016 Enterprise
Discovery Timeline
- 2026-05-12 - CVE-2026-40365 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-40365
Vulnerability Analysis
The vulnerability stems from insufficient granularity of access control [CWE-1220] in Microsoft SharePoint Server. SharePoint enforces authorization at a level coarser than the protected operations require. As a result, an account with low privileges passes the access check and reaches code paths intended for higher-privileged users.
Once inside those code paths, the attacker can trigger server-side functionality that executes code in the SharePoint worker process. The attack vector is the network, complexity is low, and no user interaction is required. The attacker only needs valid credentials on the target site.
Root Cause
The underlying defect is an access control model that groups distinct operations under a single permission boundary. SharePoint authorizes access to a broad surface when it should validate the specific operation, scope, and target object. This authorization gap allows a low-privileged user to invoke server-side actions that ultimately lead to code execution.
Attack Vector
An authenticated attacker sends crafted requests to a vulnerable SharePoint endpoint over HTTP or HTTPS. The server performs a coarse-grained authorization check that does not distinguish between read-level and code-affecting operations. The request reaches a privileged handler and executes attacker-controlled logic in the context of the SharePoint application pool identity.
No verified public proof-of-concept is available at the time of writing. Technical details are documented in the Microsoft Security Update CVE-2026-40365 advisory.
Detection Methods for CVE-2026-40365
Indicators of Compromise
- Unexpected w3wp.exe child processes such as cmd.exe, powershell.exe, or csc.exe spawned from SharePoint application pools.
- New or modified files under SharePoint web application directories, including .aspx, .ashx, or .dll artifacts in LAYOUTS or _vti_bin paths.
- Outbound network connections from SharePoint servers to unknown hosts immediately after authenticated HTTP requests.
Detection Strategies
- Hunt for authenticated HTTP requests from low-privileged accounts targeting administrative or privileged SharePoint endpoints.
- Correlate SharePoint Unified Logging Service (ULS) events with process creation telemetry on the host to identify request-to-execution chains.
- Alert on PowerShell or scripting engine execution under the SharePoint application pool identity.
Monitoring Recommendations
- Forward IIS, ULS, and Windows Security event logs to a centralized analytics platform for cross-source correlation.
- Monitor SharePoint farm configuration changes, solution deployments, and timer job modifications.
- Track authentication patterns for service and low-privilege accounts that interact with SharePoint APIs.
How to Mitigate CVE-2026-40365
Immediate Actions Required
- Apply the Microsoft security update for CVE-2026-40365 to all affected SharePoint Server versions as documented in the MSRC advisory.
- Inventory SharePoint farms for Subscription Edition, 2019, and 2016 Enterprise builds and prioritize internet-exposed instances.
- Audit user and service account permissions on SharePoint sites and remove unnecessary low-privilege access where feasible.
Patch Information
Microsoft has released security updates for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016 Enterprise. Administrators should install the cumulative updates referenced in the Microsoft Security Update CVE-2026-40365 guide and restart affected services. Verify build numbers after patching to confirm successful installation.
Workarounds
- Restrict access to SharePoint sites at the network perimeter using authenticated reverse proxies or VPN-only access.
- Enforce least-privilege site permissions and remove broad group memberships such as Everyone or All Authenticated Users from sensitive sites.
- Enable multi-factor authentication for all SharePoint user accounts to raise the cost of credential-based access.
# Verify SharePoint patch level after applying the update
Get-SPFarm | Select-Object BuildVersion
Get-SPProduct -Local | Select-Object ProductName, PatchableUnitDisplayName, Patches
: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
