CVE-2026-40368 Overview
CVE-2026-40368 is a deserialization of untrusted data vulnerability [CWE-502] in Microsoft Office SharePoint Server. An authenticated attacker can execute arbitrary code over a network by sending crafted serialized payloads to a vulnerable SharePoint endpoint. The flaw affects SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016 Enterprise.
Microsoft published the advisory on May 12, 2026. Successful exploitation grants full compromise of confidentiality, integrity, and availability on the SharePoint host. Exploitation requires low-privileged authentication and user interaction.
Critical Impact
An authorized attacker can achieve remote code execution on SharePoint servers, enabling lateral movement, data theft, and persistence within enterprise collaboration environments.
Affected Products
- Microsoft SharePoint Server Subscription Edition
- Microsoft SharePoint Server 2019
- Microsoft SharePoint Server 2016 Enterprise
Discovery Timeline
- 2026-05-12 - CVE-2026-40368 published to NVD and Microsoft Security Response Center advisory released
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-40368
Vulnerability Analysis
The vulnerability stems from unsafe deserialization of attacker-controlled data within Microsoft Office SharePoint Server. SharePoint accepts serialized objects from authenticated requests and reconstructs them without validating the object type or content. An attacker with low-privileged access to the SharePoint site can submit a crafted serialized payload that triggers a gadget chain during deserialization.
When the malicious object is rehydrated, it invokes type confusion or method dispatch primitives that lead to arbitrary code execution in the context of the SharePoint application pool. The attack vector is network-based and exploitation complexity is low.
User interaction is required, suggesting the exploit path involves a victim opening a specially crafted document or activating a UI element that submits the payload. Compromise of the SharePoint process can expose service account credentials, content databases, and integrated identity stores.
Root Cause
The root cause is improper input validation during object deserialization [CWE-502]. SharePoint does not restrict permissible types or apply a deny list against known dangerous .NET gadget chains before invoking the deserializer.
Attack Vector
An authenticated attacker with at least contributor-level access submits a crafted payload to a vulnerable SharePoint handler. The serialized data references a gadget chain that executes commands when the type resolver reconstructs the object graph. Code runs under the SharePoint service identity, typically with broad permissions across the farm.
No verified public exploit code is available for CVE-2026-40368. Refer to the Microsoft Security Response Center advisory for vendor-supplied technical details.
Detection Methods for CVE-2026-40368
Indicators of Compromise
- Unexpected w3wp.exe child processes such as cmd.exe, powershell.exe, or rundll32.exe spawned by SharePoint application pools
- Anomalous outbound network connections originating from SharePoint web front-end servers
- New or modified .aspx files in SharePoint layouts or hive directories indicating webshell drops
- Unusual POST requests to SharePoint endpoints containing serialized .NET object signatures such as TypeObject or BinaryFormatter markers
Detection Strategies
- Monitor SharePoint Unified Logging Service (ULS) logs for deserialization exceptions and unexpected type resolution errors
- Inspect IIS logs for POST requests to SharePoint API endpoints with abnormally large bodies or base64-encoded serialized payloads
- Correlate authenticated session activity with process creation events on SharePoint hosts to identify post-exploitation behavior
Monitoring Recommendations
- Enable advanced auditing on SharePoint farms and forward events to a centralized SIEM for correlation
- Track service account behavior and flag deviations from baseline command execution patterns
- Alert on creation of scheduled tasks, services, or registry persistence on SharePoint servers
How to Mitigate CVE-2026-40368
Immediate Actions Required
- Apply the Microsoft security update referenced in the MSRC advisory for CVE-2026-40368 to all affected SharePoint Server installations
- Inventory SharePoint farms to confirm patch deployment across web front-ends, application servers, and search roles
- Audit SharePoint user permissions and remove unnecessary contributor or higher-level access
- Rotate SharePoint service account credentials if compromise is suspected
Patch Information
Microsoft has released security updates for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016. Administrators should consult the Microsoft CVE-2026-40368 Update guidance for build numbers and KB articles applicable to each supported version.
Workarounds
- Restrict network access to SharePoint endpoints using firewall rules and require VPN or zero-trust gateway access for remote users
- Enforce multi-factor authentication on all SharePoint accounts to raise the bar for authenticated exploitation
- Place SharePoint application pools under least-privilege service accounts to reduce blast radius if exploitation succeeds
# Verify SharePoint patch level on Windows Server
Get-SPFarm | Select-Object BuildVersion
Get-HotFix | Where-Object { $_.Description -like "*Security Update*" } | Sort-Object InstalledOn -Descending
: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
