SharePoint security fixes released with March 2026 PU and offered through Microsoft Update

Stefan Goßner - March 10, 2026 - 12 Comments

Important: If your current farm patch level is September 2025 CU, remove the NT Authority\system account from WSS_WPG and IIS_IUSRS local security groups of the SharePoint machines – otherwise installing the SharePoint fixes will fail.

For more details check this article: Trending Issue: SharePoint fixes fail to install after installation of September 2025 CU

Below are the security fixes for the SharePoint OnPrem versions released this month.

SharePoint Server 2016:

KB 5002850 – SharePoint Server 2016 (language independent)
KB 5002851 – SharePoint Server 2016 (language dependent)

Microsoft Support recommends to install the complete March 2026 CU for SharePoint 2016 rather than individual security fixes.

SharePoint Server 2019:

KB 5002845 – SharePoint Server 2019 (language independent)
KB 5002847 – SharePoint Server 2019 (language dependent)

Microsoft Support recommends to install the complete March 2026 CU for SharePoint 2019 rather than individual security fixes.

SharePoint Server Subscription Edition:

KB 5002843 – SharePoint Server Subscription Edition

This security fix is identical with March 2026 CU for SharePoint Server Subscription Edition.

Office Online Server:

KB 5002846 – Office Online Server

More information:

KB 5081416 – March 2026 updates for Microsoft Office

Please ensure to have a look at the SharePoint Patching Best Practices before applying new fixes.

Security Vulnerabilities fixed in this PU

Vulnerability	SP 2016	SP 2019	SP SE	OOS	Impact	Max Severity
CVE-2026-26105	x	x	x		Spoofing	Important
CVE-2026-26106	x	x	x		Remote Code Execution	Important
CVE-2026-26107				x	Remote Code Execution	Important
CVE-2026-26108				x	Remote Code Execution	Important
CVE-2026-26109				x	Remote Code Execution	Important
CVE-2026-26112				x	Remote Code Execution	Important
CVE-2026-26113	x	x	x		Remote Code Execution	Critical
CVE-2026-26114	x	x			Remote Code Execution	Important

See the Security Update Guide below for more details about the relevant fixes:

Security Update Guide

12 Comments

Jet
On 11. March 2026 Permalink

The KB number textual is wrong for Office Online Sever, it should be KB5002846 and not KB5002843

Reply
1. Stefan Goßner
  On 11. March 2026 Permalink
  
  Thanks Jet!
  Fixed it.
  
  Reply
Alain
On 12. March 2026 Permalink

We receive the following error on all our SharePoint SE farms when we run the Configuration Wizard:

Upgrade Timer job is exiting due to exception: Microsoft.Data.SqlClient.SqlException (0x80131904): Invalid column name ‘SAFE_NOTIFICATION_DATA’. Invalid column name ‘SAFE_NOTIFICATION_DATA’. Invalid column name ‘SAFE_NOTIFICATION_DATA’.

Is anyone else seeing the same issue?

Reply
Ray Gonzalez
On 12. March 2026 Permalink

Hi Stefan, thank you for the great information. We are running SharePoint 2016 Server. If we went from the July 2025 CU directly to the March 2026 CU, would the NT Authority\system thing be an issue? Any input would be greatly appreciated. Thanks

Reply
1. Stefan Goßner
  On 12. March 2026 Permalink
  
  Hi Ray,
  no – this scenario does not require any special considerations.
  Cheers,
  Stefan
  
  Reply
  1. Ray Gonzalez
    On 12. March 2026 Permalink
    
    Thank you very much. Appreciate your help!
    
    Reply
Srinivas
On 19. March 2026 Permalink

Hi Stefan,
Today, we observed a Microsoft Remote Code Execution (RCE) vulnerability that was initially released on January 13 and updated today (17th) with a new exploit, identified as CVE-2026-20963. The vulnerability has a base score of 8.8.
We have already applied the February patch on our servers. Could you please confirm whether Microsoft has released any additional patches for this vulnerability? Also, kindly advise on any recommended mitigation steps.

Reply
1. Stefan Goßner
  On 19. March 2026 Permalink
  
  Hi Srinivas,
  CVE-2026-20963 was already fixed in January 2026 CU and any future CU also includes the fix.
  See here for details:
  https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-20963
  Cheers,
  Stefan
  
  Reply
Tayyab Rana
On 26. March 2026 Permalink

Hi Stefan,

I’m running into an issue after installing the March CU on our SharePoint 2019 on‑prem server. Below is the error I’m seeing when running PSConfig.
I have 2W + 3App servers + 1 DB
previous October CU was installed
Please let me know if you need any additional details.
“Task upgrade has failed with a PostSetupConfigurationTaskException An exception of type Microsoft.SharePoint.PostSetupConfiguration.PostSetupConfigurationTaskException was thrown. Additional exception information: The upgrade command is invalid or a failure has been encountered.

Number of user defined objects dropped incorrectly = ‘2549’ (EventID:ajyyy)

User Defined Object [proc_GetVersion] Modified (EventID:ajyyz)

User Defined Object [proc_SetVersion] Modified (EventID:ajyyz)”

Thanks

Reply
1. Stefan Goßner
  On 27. March 2026 Permalink
  
  Hi Tayyab,
  
  I haven’t seen this problem.
  My suggestion would be to open a support case to get assistance.
  
  Cheers,
  Stefan
  
  Reply
Priyanka
On 13. April 2026 Permalink

Hi Stefan, Our SharePoint Server SE is currently updated with Feb Patch. Do we still need to remove NT Authority\system account from WSS_WPG and IIS_IUSRS local security groups of the SharePoint machines to install upcoming cumulative updates like for March etc.

Reply
1. Stefan Goßner
  On 13. April 2026 Permalink
  
  Hi Priyanka,
  no – this is only required when upgrading from September 2025 CU.
  Cheers,
  Stefan
  
  Reply

Share this:

12 Comments

Leave a Reply Cancel reply