CVE-2026-50657: Update Defender for Mac to 101.26042.0020

Microsoft Defender for Endpoint for Mac build 101.26042.0020 fixes CVE-2026-50657, an information-disclosure vulnerability that can expose private personal information to a locally authenticated attacker. Organizations running any Defender for Endpoint for Mac release from 101.0.0 up to, but not including, 101.26042.0020 should update the security client rather than treating fresh malware definitions as sufficient protection.
Microsoft disclosed the flaw on July 14, 2026, through the Microsoft Security Response Center as part of its July security releases. The National Vulnerability Database describes the weakness as exposure of private personal information to an unauthorized actor and maps it to CWE-359.
The vulnerability carries a CVSS 3.1 score of 4.7, but Microsoft rates it Important. That apparent mismatch matters: the score reflects substantial barriers to exploitation, while the rating recognizes that successful exploitation can have a high confidentiality impact on a product entrusted with deep endpoint visibility.

Cybersecurity dashboard showing endpoint protection, device compliance, and secure laptop monitoring.Exploitation Starts From Inside the Mac​

CVE-2026-50657 is not a drive-by browser attack or an unauthenticated vulnerability reachable directly over the network. Its CVSS vector is AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating that an attacker must operate locally, already possess low-level privileges, and overcome high attack complexity.
No additional user interaction is required once those conditions have been met. Microsoft’s description says an authorized attacker could exploit the vulnerability locally to disclose information, although the company has not publicly documented the precise data exposed or the internal Defender component responsible.
The vulnerability’s practical characteristics are:
  • Exploitation requires local access rather than a direct network connection.
  • The attacker must already hold low privileges on the affected Mac.
  • Attack complexity is rated high.
  • A second user does not have to click a prompt or open another file during exploitation.
  • Successful exploitation can have a high impact on confidentiality.
  • Microsoft assigns no direct integrity or availability impact, so the flaw is not described as modifying data, executing arbitrary code, or crashing the endpoint.
Those constraints make CVE-2026-50657 less urgent than a remotely exploitable Defender vulnerability, but they do not make it irrelevant. Local information-disclosure flaws are particularly useful after an attacker has obtained an initial foothold through stolen credentials, malicious software, an unsafe package, or another vulnerability.
The absence of a documented integrity impact also means CVE-2026-50657 should not be presented as a privilege-escalation or remote-code-execution bug. Microsoft separately disclosed CVE-2026-50658 and CVE-2026-56178 as elevation-of-privilege vulnerabilities in Defender for Endpoint for Mac during the same July release cycle.

Defender’s Position on the Endpoint Raises the Stakes​

Microsoft Defender for Endpoint for Mac is not an ordinary desktop application. It operates through Apple’s system-extension architecture and feeds security telemetry, alerts, vulnerability information, and investigation data into the broader Microsoft Defender environment.
That position can make any unintended disclosure more consequential than the CVSS number initially suggests. Endpoint detection and response software routinely processes security events and contextual information that administrators would not want exposed to an attacker already present on the machine.
Microsoft has not specified whether CVE-2026-50657 can reveal telemetry, diagnostic information, user-related data, file metadata, configuration details, or another category of private information. Administrators should therefore avoid assuming that the flaw exposes credentials or any other particular secret unless Microsoft publishes additional technical details.
The key confirmed result is narrower: an attacker with local, low-privileged access may be able to cross an intended information boundary and obtain private personal information. The confidentiality impact is rated high, while integrity and availability remain unaffected under Microsoft’s assessment.
Zero Day Initiative’s review of the July 2026 security releases lists the vulnerability as neither publicly disclosed nor exploited in the wild at release time. That lowers immediate incident-response pressure, but it also marks July 14 as the point at which defenders and attackers gained a searchable identifier, affected-version boundary, weakness classification, and attack vector.
The technical disclosure remains limited. There is no public proof of concept, detailed attack sequence, or documented indicator of compromise attached to the available advisories.

Security Intelligence Updates Do Not Replace the Client Fix​

Defender for Endpoint for Mac receives several kinds of updates, including security intelligence, engine changes, and application releases. CVE-2026-50657 is addressed by updating the Defender application to the corrected build; merely confirming that malware signatures are current does not establish that the vulnerable program code has been replaced.
The affected range recorded by Microsoft runs from version 101.0.0 through every release earlier than 101.26042.0020. Administrators should treat 101.26042.0020 as the minimum safe build for this specific CVE and deploy a newer supported release if one is already available in their configured update channel.
Microsoft distributes Defender for Endpoint updates on macOS through Microsoft AutoUpdate, commonly abbreviated as MAU. MAU periodically checks for releases and can download and install them automatically, depending on organizational policy.
For managed fleets, the first task is to verify deployment rather than assume automatic updating completed everywhere. Sleeping laptops, machines rarely connected to the corporate network, update deferrals, damaged MAU installations, or restrictive configuration profiles can leave individual Macs behind the fleet baseline.
Administrators who need to trigger the Defender update directly can use Microsoft AutoUpdate’s msupdate utility. Microsoft identifies Defender for Endpoint for Mac with the application ID WDAV00:
Code:
cd /Library/Application\ Support/Microsoft/MAU2.0/Microsoft\ AutoUpdate.app/Contents/MacOS
./msupdate --install --apps wdav00
That command should be followed by an inventory or local version check confirming that the installed build is 101.26042.0020 or later. Security teams should also validate that their management platform reports the application version itself, not only the antivirus engine or signature version.

The Fleet Check Matters More Than the Severity Label​

CVE-2026-50657 does not warrant disconnecting every Mac from the network. It does warrant a prompt application update and a reliable compliance query across Intune, Jamf Pro, or whichever management platform controls the organization’s macOS estate.
Priority should be highest for shared Macs, developer workstations, administrative devices, build systems, and endpoints where untrusted users or processes are more likely to obtain local execution. Macs used by security personnel may also deserve closer attention because Defender telemetry and investigation activity can be more sensitive on those endpoints.
Organizations can use a short remediation sequence:
  1. Inventory the installed Microsoft Defender for Endpoint for Mac application version.
  2. Flag every build earlier than 101.26042.0020 as vulnerable.
  3. Confirm that Microsoft AutoUpdate is enabled and able to install Defender releases.
  4. Force the WDAV00 update where normal deployment has stalled.
  5. Re-query the fleet and investigate machines that remain below the corrected build.
  6. Review local account access and recent suspicious activity on high-value Macs that were exposed.
The vulnerability was published on July 14, 2026, with no known public exploitation at disclosure. The concrete operational deadline is therefore not a future macOS patch cycle: it is the point at which every managed Mac reports Microsoft Defender for Endpoint build 101.26042.0020 or newer.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: learn.microsoft.com
  3. Related coverage: techradar.com
 

Back
Top