CVE-2026-41087: Fix Windows File Explorer Data Leak

Microsoft has disclosed CVE-2026-41087, a Windows File Explorer information-disclosure vulnerability that can allow a locally authenticated attacker to expose sensitive data. The flaw carries a CVSS 3.1 base score of 5.5 and affects supported Windows 10, Windows 11, and Windows Server releases below Microsoft’s specified patched build levels.
Detailed in the Microsoft Security Response Center’s July 14, 2026 advisory, the vulnerability does not provide remote code execution or administrator privileges. Its practical risk is narrower but still significant: an attacker who already has low-privilege access to a Windows machine can reportedly use File Explorer to obtain information that should not be available to that account.
The National Vulnerability Database describes the weakness as an “exposure of sensitive information to an unauthorized actor” and maps it to CWE-200. Microsoft is the assigning authority for the CVE and has confirmed the vulnerability, although its public description does not identify the exact Explorer feature, file type, or data structure responsible for the disclosure.

A cybersecurity analyst monitors server dashboards showing alerts, vulnerabilities, and exposed sensitive files.The CVSS Vector Tells a Local-Attack Story​

Microsoft assigned CVE-2026-41087 the vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. Each component narrows the likely operational impact.
The local attack vector means exploitation must originate from the affected Windows system rather than directly across a network. The attacker also needs low-level privileges, so this is not a pre-authentication flaw that an anonymous internet user can trigger against an exposed workstation or server.
Attack complexity is rated low, however, and no separate user interaction is required. Once an attacker can execute the relevant actions under an authorized account, exploitation should not depend on another user opening a malicious file, clicking a link, or approving a prompt.
The most important rating is high confidentiality impact. Microsoft expects successful exploitation to expose sensitive information, but the vulnerability does not directly alter data, disrupt Windows, or cross into a different security authority. Its integrity and availability impacts are both rated none, and scope remains unchanged.
That combination explains the moderate 5.5 score. CVE-2026-41087 is not a machine-compromise vulnerability by itself, but information disclosures frequently matter as ingredients in larger attack chains. Leaked paths, identifiers, memory-derived information, filenames, metadata, or security context details can help an attacker understand a system and prepare a subsequent privilege-escalation or credential-access attempt.
Microsoft has not publicly stated what information File Explorer exposes in this case. Administrators should therefore avoid assuming that the bug is limited to filenames or ordinary folder metadata simply because Explorer is the named component.

Patched Builds Span Windows 10 Through Server 2025​

The affected-version data submitted by Microsoft identifies fixed build boundaries across client and server editions. Systems at or above the following revisions are outside the listed vulnerable ranges:
  • Windows 10 version 1607 and Windows Server 2016 require build 14393.9339 or later.
  • Windows 10 version 1809 and Windows Server 2019 require build 17763.9020 or later.
  • Windows 10 version 21H2 requires build 19044.7548 or later.
  • Windows 10 version 22H2 requires build 19045.7548 or later.
  • Windows 11 version 24H2 requires build 26100.8875 or later.
  • Windows 11 version 25H2 requires build 26200.8875 or later.
  • Windows 11 version 26H1 requires build 28000.2269 or later.
  • Windows Server 2022 requires build 20348.5386 or later.
  • Windows Server 2025 requires build 26100.33158 or later.
Server Core installations of Windows Server 2016, Windows Server 2019, and Windows Server 2025 are also included in Microsoft’s affected-product data. That is worth noting because Server Core lacks the conventional desktop Explorer experience, yet it still contains shared Windows components and code that can fall under an Explorer-associated CVE.
For mainstream Windows 11 version 24H2 and 25H2 devices, the relevant July cumulative update is KB5101650, which advances those branches to builds 26100.8875 and 26200.8875. Windows 10 version 21H2 and 22H2 systems reach builds 19044.7548 and 19045.7548 through KB5099539.
Windows 11 version 26H1 has a different chronology. Microsoft’s affected-version record places the fixed boundary at build 28000.2269, which was delivered in the June 9, 2026 cumulative update KB5095051. Devices already running that build or a later 26H1 cumulative update meet the CVE record’s stated remediation threshold even though Microsoft published CVE-2026-41087 on July 14.
That distinction matters for inventory tools. A scanner that checks only whether a July update is installed could report a misleading result on 26H1, while a build-based assessment should correctly recognize 28000.2269 and later as remediated.

Shared Machines Carry the More Immediate Risk​

The prerequisites make CVE-2026-41087 most relevant on systems where potentially untrusted users already receive interactive access. Remote Desktop Session Host deployments, jump boxes, lab machines, classroom PCs, kiosks that permit access beyond a tightly constrained shell, and shared administrative workstations deserve closer attention than isolated single-user devices.
A malicious insider or an attacker operating through a compromised standard account would fit Microsoft’s stated model. The attacker would not need to persuade another user to interact with content, and the low-complexity rating suggests the disclosure does not require an unusually fragile race condition or elaborate environmental preparation.
The vulnerability may also matter in incident response. If an organization discovers malware or unauthorized account activity on an unpatched endpoint, responders should not treat the account’s nominal permission level as proof that sensitive local information remained inaccessible. Microsoft’s confidentiality-high assessment indicates that the disclosure can reach beyond what the attacker should ordinarily be able to inspect.
At the same time, the advisory does not justify treating CVE-2026-41087 as equivalent to remote code execution. It cannot, based on the published vector, be exploited anonymously over the network, and it does not directly grant SYSTEM privileges. Existing controls such as least privilege, application control, restricted interactive logon, and rapid containment of compromised accounts remain meaningful barriers.

Build Verification Is the Reliable Check​

Administrators can confirm a device’s revision by running winver, checking the OS build in Settings, or querying managed endpoints through PowerShell, Microsoft Intune, Configuration Manager, or another inventory platform. The comparison must include the revision after the decimal point: build 26100 alone is not enough to determine whether a Windows 11 24H2 installation has crossed the 26100.8875 boundary.
Organizations should deploy the applicable cumulative update through Windows Update, Windows Update for Business, Windows Server Update Services, Microsoft Intune, or their normal patch-management platform. Because Windows cumulative updates supersede earlier packages, installing a newer supported cumulative update should also provide the File Explorer correction.
There is no public technical description detailed enough to support a narrowly targeted configuration workaround. Disabling random Explorer features, hiding File Explorer, or changing file associations would therefore be speculative and could interfere with normal workflows without removing the vulnerable code path. Installing a cumulative update that reaches the fixed build is the dependable remediation.
CVE-2026-41087 is ultimately a local information leak rather than a direct takeover route, but its low attack complexity, lack of user interaction, and high confidentiality impact make postponement difficult to defend on shared or already exposed systems. The immediate task for Windows administrators is concrete: inventory exact build revisions, prioritize multi-user endpoints and servers that permit interactive logon, and move every affected branch to Microsoft’s fixed build or later.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: thewincentral.com
 

Back
Top