Microsoft has disclosed CVE-2026-41087, a Windows File Explorer information-disclosure vulnerability that can allow a locally authenticated attacker to expose sensitive data. The flaw carries a CVSS 3.1 base score of 5.5 and affects supported Windows 10, Windows 11, and Windows Server releases below Microsoft’s specified patched build levels.
Detailed in the Microsoft Security Response Center’s July 14, 2026 advisory, the vulnerability does not provide remote code execution or administrator privileges. Its practical risk is narrower but still significant: an attacker who already has low-privilege access to a Windows machine can reportedly use File Explorer to obtain information that should not be available to that account.
The National Vulnerability Database describes the weakness as an “exposure of sensitive information to an unauthorized actor” and maps it to CWE-200. Microsoft is the assigning authority for the CVE and has confirmed the vulnerability, although its public description does not identify the exact Explorer feature, file type, or data structure responsible for the disclosure.
Microsoft assigned CVE-2026-41087 the vector
The local attack vector means exploitation must originate from the affected Windows system rather than directly across a network. The attacker also needs low-level privileges, so this is not a pre-authentication flaw that an anonymous internet user can trigger against an exposed workstation or server.
Attack complexity is rated low, however, and no separate user interaction is required. Once an attacker can execute the relevant actions under an authorized account, exploitation should not depend on another user opening a malicious file, clicking a link, or approving a prompt.
The most important rating is high confidentiality impact. Microsoft expects successful exploitation to expose sensitive information, but the vulnerability does not directly alter data, disrupt Windows, or cross into a different security authority. Its integrity and availability impacts are both rated none, and scope remains unchanged.
That combination explains the moderate 5.5 score. CVE-2026-41087 is not a machine-compromise vulnerability by itself, but information disclosures frequently matter as ingredients in larger attack chains. Leaked paths, identifiers, memory-derived information, filenames, metadata, or security context details can help an attacker understand a system and prepare a subsequent privilege-escalation or credential-access attempt.
Microsoft has not publicly stated what information File Explorer exposes in this case. Administrators should therefore avoid assuming that the bug is limited to filenames or ordinary folder metadata simply because Explorer is the named component.
For mainstream Windows 11 version 24H2 and 25H2 devices, the relevant July cumulative update is KB5101650, which advances those branches to builds 26100.8875 and 26200.8875. Windows 10 version 21H2 and 22H2 systems reach builds 19044.7548 and 19045.7548 through KB5099539.
Windows 11 version 26H1 has a different chronology. Microsoft’s affected-version record places the fixed boundary at build 28000.2269, which was delivered in the June 9, 2026 cumulative update KB5095051. Devices already running that build or a later 26H1 cumulative update meet the CVE record’s stated remediation threshold even though Microsoft published CVE-2026-41087 on July 14.
That distinction matters for inventory tools. A scanner that checks only whether a July update is installed could report a misleading result on 26H1, while a build-based assessment should correctly recognize 28000.2269 and later as remediated.
A malicious insider or an attacker operating through a compromised standard account would fit Microsoft’s stated model. The attacker would not need to persuade another user to interact with content, and the low-complexity rating suggests the disclosure does not require an unusually fragile race condition or elaborate environmental preparation.
The vulnerability may also matter in incident response. If an organization discovers malware or unauthorized account activity on an unpatched endpoint, responders should not treat the account’s nominal permission level as proof that sensitive local information remained inaccessible. Microsoft’s confidentiality-high assessment indicates that the disclosure can reach beyond what the attacker should ordinarily be able to inspect.
At the same time, the advisory does not justify treating CVE-2026-41087 as equivalent to remote code execution. It cannot, based on the published vector, be exploited anonymously over the network, and it does not directly grant SYSTEM privileges. Existing controls such as least privilege, application control, restricted interactive logon, and rapid containment of compromised accounts remain meaningful barriers.
Organizations should deploy the applicable cumulative update through Windows Update, Windows Update for Business, Windows Server Update Services, Microsoft Intune, or their normal patch-management platform. Because Windows cumulative updates supersede earlier packages, installing a newer supported cumulative update should also provide the File Explorer correction.
There is no public technical description detailed enough to support a narrowly targeted configuration workaround. Disabling random Explorer features, hiding File Explorer, or changing file associations would therefore be speculative and could interfere with normal workflows without removing the vulnerable code path. Installing a cumulative update that reaches the fixed build is the dependable remediation.
CVE-2026-41087 is ultimately a local information leak rather than a direct takeover route, but its low attack complexity, lack of user interaction, and high confidentiality impact make postponement difficult to defend on shared or already exposed systems. The immediate task for Windows administrators is concrete: inventory exact build revisions, prioritize multi-user endpoints and servers that permit interactive logon, and move every affected branch to Microsoft’s fixed build or later.
Detailed in the Microsoft Security Response Center’s July 14, 2026 advisory, the vulnerability does not provide remote code execution or administrator privileges. Its practical risk is narrower but still significant: an attacker who already has low-privilege access to a Windows machine can reportedly use File Explorer to obtain information that should not be available to that account.
The National Vulnerability Database describes the weakness as an “exposure of sensitive information to an unauthorized actor” and maps it to CWE-200. Microsoft is the assigning authority for the CVE and has confirmed the vulnerability, although its public description does not identify the exact Explorer feature, file type, or data structure responsible for the disclosure.
The CVSS Vector Tells a Local-Attack Story
Microsoft assigned CVE-2026-41087 the vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. Each component narrows the likely operational impact.The local attack vector means exploitation must originate from the affected Windows system rather than directly across a network. The attacker also needs low-level privileges, so this is not a pre-authentication flaw that an anonymous internet user can trigger against an exposed workstation or server.
Attack complexity is rated low, however, and no separate user interaction is required. Once an attacker can execute the relevant actions under an authorized account, exploitation should not depend on another user opening a malicious file, clicking a link, or approving a prompt.
The most important rating is high confidentiality impact. Microsoft expects successful exploitation to expose sensitive information, but the vulnerability does not directly alter data, disrupt Windows, or cross into a different security authority. Its integrity and availability impacts are both rated none, and scope remains unchanged.
That combination explains the moderate 5.5 score. CVE-2026-41087 is not a machine-compromise vulnerability by itself, but information disclosures frequently matter as ingredients in larger attack chains. Leaked paths, identifiers, memory-derived information, filenames, metadata, or security context details can help an attacker understand a system and prepare a subsequent privilege-escalation or credential-access attempt.
Microsoft has not publicly stated what information File Explorer exposes in this case. Administrators should therefore avoid assuming that the bug is limited to filenames or ordinary folder metadata simply because Explorer is the named component.
Patched Builds Span Windows 10 Through Server 2025
The affected-version data submitted by Microsoft identifies fixed build boundaries across client and server editions. Systems at or above the following revisions are outside the listed vulnerable ranges:- Windows 10 version 1607 and Windows Server 2016 require build 14393.9339 or later.
- Windows 10 version 1809 and Windows Server 2019 require build 17763.9020 or later.
- Windows 10 version 21H2 requires build 19044.7548 or later.
- Windows 10 version 22H2 requires build 19045.7548 or later.
- Windows 11 version 24H2 requires build 26100.8875 or later.
- Windows 11 version 25H2 requires build 26200.8875 or later.
- Windows 11 version 26H1 requires build 28000.2269 or later.
- Windows Server 2022 requires build 20348.5386 or later.
- Windows Server 2025 requires build 26100.33158 or later.
For mainstream Windows 11 version 24H2 and 25H2 devices, the relevant July cumulative update is KB5101650, which advances those branches to builds 26100.8875 and 26200.8875. Windows 10 version 21H2 and 22H2 systems reach builds 19044.7548 and 19045.7548 through KB5099539.
Windows 11 version 26H1 has a different chronology. Microsoft’s affected-version record places the fixed boundary at build 28000.2269, which was delivered in the June 9, 2026 cumulative update KB5095051. Devices already running that build or a later 26H1 cumulative update meet the CVE record’s stated remediation threshold even though Microsoft published CVE-2026-41087 on July 14.
That distinction matters for inventory tools. A scanner that checks only whether a July update is installed could report a misleading result on 26H1, while a build-based assessment should correctly recognize 28000.2269 and later as remediated.
Shared Machines Carry the More Immediate Risk
The prerequisites make CVE-2026-41087 most relevant on systems where potentially untrusted users already receive interactive access. Remote Desktop Session Host deployments, jump boxes, lab machines, classroom PCs, kiosks that permit access beyond a tightly constrained shell, and shared administrative workstations deserve closer attention than isolated single-user devices.A malicious insider or an attacker operating through a compromised standard account would fit Microsoft’s stated model. The attacker would not need to persuade another user to interact with content, and the low-complexity rating suggests the disclosure does not require an unusually fragile race condition or elaborate environmental preparation.
The vulnerability may also matter in incident response. If an organization discovers malware or unauthorized account activity on an unpatched endpoint, responders should not treat the account’s nominal permission level as proof that sensitive local information remained inaccessible. Microsoft’s confidentiality-high assessment indicates that the disclosure can reach beyond what the attacker should ordinarily be able to inspect.
At the same time, the advisory does not justify treating CVE-2026-41087 as equivalent to remote code execution. It cannot, based on the published vector, be exploited anonymously over the network, and it does not directly grant SYSTEM privileges. Existing controls such as least privilege, application control, restricted interactive logon, and rapid containment of compromised accounts remain meaningful barriers.
Build Verification Is the Reliable Check
Administrators can confirm a device’s revision by runningwinver, checking the OS build in Settings, or querying managed endpoints through PowerShell, Microsoft Intune, Configuration Manager, or another inventory platform. The comparison must include the revision after the decimal point: build 26100 alone is not enough to determine whether a Windows 11 24H2 installation has crossed the 26100.8875 boundary.Organizations should deploy the applicable cumulative update through Windows Update, Windows Update for Business, Windows Server Update Services, Microsoft Intune, or their normal patch-management platform. Because Windows cumulative updates supersede earlier packages, installing a newer supported cumulative update should also provide the File Explorer correction.
There is no public technical description detailed enough to support a narrowly targeted configuration workaround. Disabling random Explorer features, hiding File Explorer, or changing file associations would therefore be speculative and could interfere with normal workflows without removing the vulnerable code path. Installing a cumulative update that reaches the fixed build is the dependable remediation.
CVE-2026-41087 is ultimately a local information leak rather than a direct takeover route, but its low attack complexity, lack of user interaction, and high confidentiality impact make postponement difficult to defend on shared or already exposed systems. The immediate task for Windows administrators is concrete: inventory exact build revisions, prioritize multi-user endpoints and servers that permit interactive logon, and move every affected branch to Microsoft’s fixed build or later.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: thewincentral.com
Windows 11 July 2026 Update KB5101650: Download link & What's new - WinCentral
Windows 11 KB5101650 brings Point-in-Time Restore, a new Windows Update calendar, File Explorer upgrades, Bluetooth improvements, redesigned Widgets, Accessibility features, and July 2026 security fixes. - Read in Windows 11 News on WinCentral
thewincentral.com