SharePoint’s Upload.aspx resolves the RootFolder query parameter via SPWeb.GetFolder() without verifying folder ownership against the List parameter. An authenticated user with Contribute on any document library can upload files to any other library on the site — including _catalogs/masterpage. When PageParserPaths enables server-side scripts, the attacker uploads an ASPX webshell achieving Remote Code Execution as w3wp.exe.

Introduction

Microsoft SharePoint Server is the most widely deployed enterprise document management and collaboration platform, used by governments, financial institutions, and enterprises worldwide. Its permission model relies on granular per-library access controls: users may hold Contribute rights on one document library but have no access to another on the same site.

This research documents a path traversal vulnerability (CWE-22) in SharePoint Server’s Upload.aspx page, tracked as CVE-2026-45454. The UploadPage.CurrentFolder property in microsoft.office.policy.pages.dll resolves the user-supplied RootFolder query parameter via SPWeb.GetFolder() without verifying that the resolved folder belongs to the document library specified by the List parameter.

This mismatch allows an attacker to pass permission checks against a library they have access to (List) while redirecting the actual file upload to a completely different library (RootFolder) — including the sensitive _catalogs/masterpage gallery. When combined with PageParserPaths configurations that allow server-side script execution, this escalates to full Remote Code Execution.

Responsible Disclosure: The RCE proof-of-concept (exploit_rce_masterpage.py) is withheld until 2026-07-10 — 30 days after patch release — to allow administrators time to apply KB5002874 / KB5002880. The path traversal PoC and full technical description are available immediately.

Attack Overview

Figure 1 — Complete attack flow: from Contribute permissions on Documents to RCE via Master Page Gallery traversal.

Initial Access Attacker holds Contribute permissions on any document library (e.g., “Documents”) on a SharePoint site. This is a standard permission level granted to most authenticated users.

Path Traversal Attacker crafts a request to /_layouts/15/Upload.aspx with List={Documents_GUID} (passes permission check) but RootFolder=/_catalogs/masterpage (redirects upload to Master Page Gallery).

Authorization Bypass SharePoint’s UploadPage checks AddListItems permission against the List parameter only. The CurrentFolder property resolves RootFolder via SPWeb.GetFolder() without any ownership validation — the file lands in the attacker-chosen destination.

Code Execution When PageParserPaths is configured with AllowServerSideScript="true" for /_catalogs/masterpage/*, the uploaded ASPX webshell is compiled and executed server-side by SharePoint, running arbitrary OS commands as the w3wp.exe application pool identity.

 

Why is PageParserPaths commonly enabled?

SharePoint deployments with custom branding, custom master pages, or third-party design packages frequently configure PageParserPaths in web.config to allow server-side code in the Master Page Gallery. This is a documented Microsoft configuration pattern for enabling custom code-behind in content database pages. Many production SharePoint farms have this setting enabled.

What about SharePoint SafeMode?

SharePoint’s SafeMode page parser blocks inline code blocks (<% %><script runat="server">) in pages stored in the content database by default. However, the PageParserPaths configuration explicitly overrides SafeMode for specified paths. When set for /_catalogs/masterpage/* with AllowServerSideScript="true", full inline code execution is permitted — completely bypassing SafeMode protections.

Root Cause Analysis

SharePoint’s Upload.aspx page (code-behind: UploadPage in microsoft.office.policy.pages.dll) accepts two query string parameters:

Parameter Purpose Security Role
List GUID of target document library Used for permission checks via RightsRequired
RootFolder Server-relative folder URL Resolved via GetFolder() — NO ownership validation

Vulnerable Call Stack

Figure 2 — Call stack showing how attacker-controlled RootFolder flows unchecked to SPFolder.Files.Add().

Vulnerable Code (Pre-Patch)

Patch Diff (KB5002874 / KB5002880)

Figure 3 — Code diff showing the ParentListId ownership check added in the patched version.

Patched Code

Aspect Vulnerable Patched
Folder Resolution GetFolder(RootFolder)

withno ownership check

 GetFolder() + ParentListId == CurrentList.ID
Null CurrentList Silently continues Throws ArgumentException
Audit Logging None ULS trace tags 495502806, 495502807

Exploit Chain Detail

Tier 1 — Arbitrary File Upload to Restricted Libraries Unconditional

  • Enumerate source library GUIDGET /_api/web/lists/GetByTitle(‘Documents’) → extract List GUID for permission context
  • Fetch Upload.aspx with traversed RootFolderGET /_layouts/15/Upload.aspx?List={Docs_GUID}&RootFolder=/Restricted%20Documents
    → extract __REQUESTDIGEST, __VIEWSTATE, __EVENTVALIDATION form tokens
  • POST file upload with form tokensPOST multipart/form-data to same URL → file lands in “Restricted Documents” despite List pointing to “Documents”
  • Verify traversalGET /_api/web/lists/GetByTitle(‘Restricted Documents’)/items → traversal_proof.txt confirmed in restricted library

Tier 2 — RCE via Master Page Gallery Conditional on PageParserPaths

  • Upload ASPX webshell to Master Page GalleryPOST Upload.aspx?List={Docs_GUID}&RootFolder=/_catalogs/masterpage
    → webshell.aspx written to _catalogs/masterpage/
  • Trigger server-side compilationGET /_catalogs/masterpage/webshell.aspx?cmd=whoami
    → SharePoint compiles ASPX, executes inline C# code
  • Arbitrary OS command executionResponse: application pool identity → full RCE as w3wp.exe process

HTTP Request Anatomy

Figure 4 — Annotated HTTP request showing the List/RootFolder parameter mismatch that enables path traversal.

Proof-of-Concept & Evidence

Path Traversal PoC

PoC Execution — Vulnerable Server

PoC Execution — Patched Server

ASPX Webshell Payload (Tier 2 — RCE)

Note: This is a generic example webshell for illustration purposes only. The actual RCE PoC (exploit_rce_masterpage.py) is withheld until 2026-07-10 per the responsible disclosure embargo.

PageParserPaths Configuration (RCE Prerequisite)

Test Results Comparison

Metric Vulnerable Server Patched Server
HTTP Response 200 200 (error page)
File in target library Yes (traversal_proof.txt) No (0 files)
Webshell in Master Page Gallery Yes No (traversal blocked)
Server-side code execution Yes N/A
whoami output App pool identity N/A
Error logged None ULS 495502806

Affected Products

Product

CPE 2.3

Vulnerable KB (May 2026)

 Patched KB (June 2026)

SharePoint Server 2019

 cpe:2.3:a:microsoft:sharepoint_

server:2019:*:*:*:*:*:*:*

 KB5002870 KB5002874
SharePoint Server 2016

cpe:2.3:a:microsoft:sharepoint_

server:2016:*:*:*:enterprise:*:*:*

 KB5002868 KB5002880

SharePoint Server SE

 cpe:2.3:a:microsoft:sharepoint_

server:*:*:*:*:subscription:*:*:*

KB5002863

Consult MSRC

Vulnerable Binary Details

Field SP2019 (Vulnerable) SP2019 (Patched)
Binary microsoft.office.policy.pages.dll
File Version 16.0.10337.12109 16.0.10417.20153
Size 547,096 bytes 541,544 bytes
SHA256 E7ECA49A...F51CBA D9A8905C...C92614
Farm Build 16.0.10417.20128 16.0.10417.20153

 

Field SP2016 (Vulnerable) SP2016 (Patched)
Binary microsoft.office.policy.pages.dll
File Version 16.0.5535.1000 16.0.5556.1000
Size 436,128 bytes 436,992 bytes
SHA256 79E3C4BA...634919 AF038264...196052
Farm Build 16.0.5552.1002 16.0.5556.1002

Tested Environment

Component Detail
OS Windows Server 2025 Standard 24H2 — Build 26100.32860 (x64)
SharePoint SharePoint Server 2019 — Farm Build 16.0.10417.20128
Installed KB KB5002870 (May 2026 SharePoint CU)

Impact Assessment

Impact Tiers

Tier Condition Impact
Tier1 Unconditional — any vulnerable SharePoint Upload files to any document library bypassing per-library access controls. Tamper with restricted content (policy docs, contracts, regulatory filings).
Tier2 PageParserPaths configured for Master Page Gallery Full Remote Code Execution as w3wp.exe app pool identity. Access to SQL Server, content databases, and domain resources via Kerberos delegation.

 

Impact Area Detail
Authorization Bypass Per-library access controls completely bypassed — any authenticated user with Contribute on one library can upload to any other library on the site
OS Command Execution Arbitrary commands as w3wp.exe application pool identity when PageParserPaths enables server-side scripts
Data Exfiltration Read access to SharePoint content databases, configuration files, and any data accessible to the app pool identity
Content Tampering Upload or overwrite files in restricted libraries — policy documents, contracts, regulatory filings
Persistence Webshell persists as a gallery page surviving app pool recycles; extendable with scheduled tasks or reverse shells
Lateral Movement App pool identity may have access to SQL Server, other SharePoint web apps, or domain resources via Kerberos delegation
Trust Erosion Any user with basic Contribute permissions becomes a potential attack vector — external collaborators, contractors, limited-access users

Detection

Network-Based — Suricata Rules

Host-Based — PowerShell Detection Script

ULS Log Tags (Post-Patch)

ULS Tag Message Meaning
495502806 “Possible folder traversal attempt” RootFolder resolved to folder outside specified List — active exploitation attempt
495502807 “RootFolder parameter is being resolved but no target list is set” Null CurrentList — malformed or tampered request

HTTP Signature Reference

Offset Field Notes
HTTP URI /_layouts/15/Upload.aspx Target endpoint
Query param List={GUID} Library GUID used for permission check
Query param RootFolder=/path If path doesn’t belong to List GUID’s library → traversal
HTTP Method POST File upload via multipart form data
POST body ctl00$...InputFile Uploaded file content

Mitigation & Recommendations

Immediate — Apply Patches

  • SharePoint Server 2019 — Install KB5002874 (June 2026). Patches CurrentFolder property with ParentListId ownership check.
  • SharePoint Enterprise Server 2016 — Install KB5002880 (June 2026). Same fix applied to SP2016 codebase.
  • SharePoint Server Subscription Edition — Consult MSRC advisory for applicable cumulative update.

Short-Term — Defence in Depth

  • Remove or restrict PageParserPaths — If custom branding does not require server-side code in the Master Page Gallery, remove the <PageParserPath> entry from web.config. This eliminates the RCE escalation path entirely, even on unpatched servers.
  • IIS Request Filtering — Block RootFolder parameters containing _catalogs in requests to /_layouts/15/Upload.aspx using URL Rewrite rules.
  • Audit Master Page Gallery — Review /_catalogs/masterpage for unexpected .aspx files. Any page not part of the original installation or known customizations should be investigated.
  • Least-privilege permissions — Review Contribute permission grants across document libraries. Restrict upload permissions to libraries where users genuinely need to add content.

Post-Incident — Forensic Checks

Timeline

MAY31
Vulnerability DiscoveredPath traversal identified in SharePoint Server 2019 Upload.aspx. RootFolder parameter mismatch confirmed in microsoft.office.policy.pages.dll (16.0.10337.12109).
MAY 31
Path Traversal PoC Developedexploit_upload_traversal.py confirmed: file uploaded to restricted library via List/RootFolder parameter mismatch.
MAY 31
RCE Escalation ConfirmedASPX webshell uploaded to Master Page Gallery and executed server-side on systems with PageParserPaths configured.
JUN 10
Microsoft Patches ReleasedKB5002874 (SP2019) and KB5002880 (SP2016) released. Fix adds ParentListId ownership check to CurrentFolder property.
JUN 10
CVE-2026-45454 PublishedMSRC advisory and CVRF updated. Patched server verified: traversal blocked, ULS logging active.
JUL 10
RCE PoC Release (Scheduled)exploit_rce_masterpage.py to be published 30 days after patch release. Path traversal PoC and full technical description available now.

References

CurrentFolderServerRelativeUrl

PoC: exploit_upload_traversal.pyexploit_rce_masterpage.py — authorised testing only

Attribute Value
CVE CVE-2026-45454
CWE CWE-22: Improper Limitation of a Pathname to a Restricted Directory
Product Microsoft SharePoint Server 2019 / 2016 / Subscription Edition
Vulnerable Binary microsoft.office.policy.pages.dll
CVSS 4.0

(Aretiq AI)

 8.2 High —AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N/E:P
CVSS 3.1 (Microsoft) 6.5 Medium — AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Required Privilege Contribute on any document library
User Interaction None
RCE Prerequisite PageParserPaths with AllowServerSideScript="true"
Patch (SP2019) KB5002874 (June 2026)
Patch (SP2016) KB5002880 (June 2026)
Exploitation Status Proof-of-Concept available; Microsoft rates exploitation as “Less Likely”

Downloads & Resources

Original Research PoCs

File Description Status
exploit_upload_traversal.py Path traversal PoC — uploads files through one library’s permission context into another Available
exploit_rce_masterpage.py RCE PoC — uploads ASPX webshell to Master Page Gallery and executes OS commands July 10, 2026

Supplementary Materials

File Description Status
webshell_payload.aspx Generic example ASPX webshell for illustration (not the embargoed PoC payload) Available
detect_vulnerable.ps1 PowerShell detection script — checks DLL version, SHA256, KBs, ULS logs, PageParserPaths Available
suricata_rules.rules Network detection rules for Suricata IDS/IPS Available

Get expert support to detect vulnerabilities, assess exposure, and implement proactive security measures before threats can be exploited.

Reach out to our team and secure your environment today.