Threat Intelligence / CVE / CVE-2026-33827

CVE-2026-33827

CVSS 8.8 (HIGH) · EPSS 0.1% · Published 2026-04-14

An insecure deserialization vulnerability in the SharePoint Server workflow engine allows an authenticated remote attacker to achieve code execution on the SharePoint server. The flaw resides in the workflow activity processing pipeline where untrusted serialized objects are deserialized without adequate type validation. Threat actors have been observed chaining this vulnerability with CVE-2026-32201 (SharePoint spoofing zero-day) to escalate from unauthenticated session hijack to full server-side code execution against enterprise SharePoint farms.

CVSS v3 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-502

Threats tracking this CVE

Microsoft April 2026 Patch Tuesday — 167 Flaws, 2 Zero-Days (SharePoint Spoofing CVE-2026-32201 + Defender EoP CVE-2026-33825) — CRITICAL

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33827

Full detection coverage & IOCs for threats exploiting CVE-2026-33827 are available via the Threadlinqs MCP server (Purple tier). View plans →

Markdown version · Threadlinqs Intelligence