CVE-2026-45454: Path Traversal in Microsoft SharePoint Server – Patch Guidance
A path traversal vulnerability in Microsoft SharePoint Server allows an authenticated user to access files and data outside intended boundaries, potentially leading to unauthorized code execution across the network. An attacker with valid credentials can manipulate file paths to reach restricted directories and execute arbitrary code—a serious concern in multi-tenant or shared SharePoint environments where user trust is assumed but not absolute.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-22
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Improper limitation of a pathname to a restricted directory ('path traversal') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-45454 exploits improper pathname validation (CWE-22) in SharePoint Server. The vulnerability requires low-complexity exploitation over the network and leverages valid user credentials, but once triggered, grants the attacker high-impact read access and potential code execution capabilities. The attack does not require user interaction and operates within a single trust boundary, making it particularly valuable to insiders or compromised accounts with legitimate access.
Business impact
Organizations using SharePoint Server face significant risk in scenarios where users with basic access could escalate privileges to read sensitive documents, extract intellectual property, or execute code that modifies business-critical workflows. In regulated environments (finance, healthcare, legal), unauthorized data disclosure through this vector could trigger compliance violations and breach notification obligations. The attack surface widens in organizations with diverse user bases or outsourced SharePoint administration.
Affected systems
Microsoft SharePoint Server versions are affected; verify your specific deployment version against the official Microsoft security advisory to confirm which releases require immediate patching. On-premises SharePoint Server installations are the primary exposure vector; SharePoint Online (cloud) configurations may have different vulnerability status—consult Microsoft documentation.
Exploitability
Exploitation is straightforward once an attacker has obtained valid credentials, but it is not remotely exploitable without authentication. The low complexity rating reflects the simplicity of the attack once access is granted. This makes credential compromise, insider threats, and shared accounts significant risk factors. There is no evidence (as of the advisory date) that this vulnerability is being actively exploited in the wild or weaponized by threat actors.
Remediation
Apply the security update released by Microsoft immediately to all affected SharePoint Server deployments. Verify the patch version against Microsoft's official advisory before deployment. In parallel, review and restrict SharePoint permissions for high-privilege accounts, disable unnecessary service accounts, and audit recent file access logs for suspicious path traversal patterns.
Patch guidance
1. Identify all SharePoint Server instances and their current build versions via the Central Administration dashboard or PowerShell (Get-SPFarm). 2. Stage the official Microsoft cumulative update in a test environment and validate against your organization's custom solutions and third-party extensions. 3. Deploy during a maintenance window with rollback capability enabled. 4. Post-patch, restart IIS and SharePoint services, then verify via the build number confirmation. Consult Microsoft's official patch documentation for detailed step-by-step procedures specific to your version.
Detection guidance
Monitor Windows Event Logs and SharePoint diagnostic logs for: (1) unusual file access patterns outside user-assigned document libraries; (2) path sequences containing '../' or encoded traversal characters; (3) failed access attempts followed by successful ones using alternative paths; (4) code execution events (PowerShell, executable spawning) originating from SharePoint application pools. Deploy SIEM correlation rules to flag authenticated users accessing files inconsistent with their assigned permissions. Review audit logs in the SharePoint admin center for suspicious document downloads or metadata modifications.
Why prioritize this
Although unpatched versions face real risk, this vulnerability requires valid credentials and is not actively exploited. Organizations should prioritize patching within 30 days but may deprioritize relative to zero-day or wormable threats. However, if your SharePoint environment grants broad access to contractors, partners, or junior staff, move this into immediate-patch territory due to insider/credential-compromise risk.
Risk score, explained
The CVSS 6.5 MEDIUM rating reflects the requirement for prior authentication and network access, balanced against high confidentiality impact (unauthorized file read). No integrity or availability impact is scored, though code execution risk suggests real-world impact could exceed the base score in scenarios where executed code modifies or deletes data. The attack vector (network), low complexity, and lack of user interaction elevate concern within corporate environments despite the credential requirement.
Frequently asked questions
Do I need to patch immediately if our SharePoint is only accessible to internal staff?
No, but prioritize within 30 days. The credential requirement significantly reduces external risk. However, focus on any high-privilege accounts, shared credentials, or contractor access—those vectors raise urgency immediately.
Does this affect SharePoint Online (Microsoft 365)?
The advisory specifically references SharePoint Server (on-premises). SharePoint Online's cloud-hosted nature and automated patching differ substantially. Verify Microsoft's separate guidance for cloud deployments, as they may already be patched or unaffected.
What indicators should we hunt for in our logs?
Look for authentication events followed by file access requests containing path traversal sequences ('../'), unusual directory traversals outside assigned libraries, or unexpected code execution (PowerShell cmdlets, executable spawning) from SharePoint process accounts.
Can this vulnerability be exploited without valid credentials?
No. The CVSS vector requires PR:L (Privilege Required: Low), meaning an attacker must first obtain legitimate user credentials or compromise an existing account. This is both a limiting factor and a reminder to audit account security and access controls.
This analysis is provided for informational purposes and does not constitute legal, compliance, or professional security advice. Vulnerability details and patch status are subject to change; always consult the official Microsoft Security Update Guide and your organization's security policies before patching. SEC.co assumes no liability for actions taken or not taken based on this analysis. Exploit code, proof-of-concept demonstrations, or active threat intelligence are not provided herein. Organizations should validate all guidance in test environments before production deployment. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-32193HIGHAzure Kubernetes Service Path Traversal Privilege Escalation (CVSS 8.8)
- CVE-2026-45482HIGHPath Traversal in Visual Studio Code and GitHub Copilot
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25421MEDIUMOpen STA Manager 2.3 Path Traversal File Download Vulnerability
- CVE-2019-25734MEDIUMContact Form by WD CSRF & Local File Inclusion Vulnerability
- CVE-2019-25740MEDIUMJoomla com_jsjobs Arbitrary File Deletion Vulnerability
- CVE-2022-50953MEDIUMWordPress admin-word-count-column Plugin Local File Read Vulnerability
- CVE-2024-47263MEDIUMSynology Hyper Backup Path Traversal – Admin Privilege Required