CVE-2026-50389: Patch Windows File Explorer Data Leak

CVE-2026-50389 is a newly disclosed Windows File Explorer information-disclosure vulnerability that can expose sensitive data to a locally authenticated attacker. Microsoft rated the flaw Important, assigned it a CVSS 3.1 base score of 5.5, and addressed affected Windows releases through cumulative security updates published or current as of July 14, 2026.
Detailed in Microsoft’s Security Update Guide and recorded by the National Vulnerability Database, the vulnerability affects supported Windows 10, Windows 11, and Windows Server branches. Administrators should verify installed OS build numbers rather than assume that endpoint protection or restricted network access removes the risk.
Microsoft lists CVE-2026-50389 as neither publicly disclosed nor exploited in the wild at publication. The Zero Day Initiative and SANS Internet Storm Center likewise recorded no known public disclosure or active exploitation in their July 2026 Patch Tuesday coverage.

Cybersecurity analyst monitors a CVE alert, Windows patches, and server security dashboards in a data center.A Local Flaw With High Confidentiality Impact​

Microsoft describes the issue as an exposure of sensitive information to an unauthorized actor in Windows File Explorer. Exploitation requires an attacker who is already authorized to access the computer locally, but the attack does not require further user interaction.
The CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. In practical terms, that means the attacker needs local access and low-level privileges, exploitation is considered low complexity, and no second user must open a file, approve a prompt, or perform another action.
The score also shows why the vulnerability matters despite its moderate numerical rating. Microsoft assigned it high confidentiality impact, indicating that successful exploitation could reveal data that the attacker should not ordinarily be able to access. The flaw does not directly modify information, interrupt Windows, or cross into a different security authority, so its integrity and availability impact scores are zero.
Microsoft has not publicly explained what specific information File Explorer may disclose, which code path is responsible, or whether exploitation depends on a particular folder, file type, Explorer view, or shell extension. There is consequently not enough public information to produce a reliable detection rule or narrowly targeted workaround.
That absence of technical detail should not be mistaken for doubt that the bug exists. Microsoft’s report-confidence classification indicates that the vulnerability is confirmed, meaning the vendor has validated the underlying issue or received sufficient technical evidence to reproduce it. Confirmation concerns the credibility of the vulnerability report; it does not mean attackers have confirmed exploitation in real environments.

The Affected Builds Stretch Across Windows Generations​

The affected-product record covers Windows releases ranging from Windows 10 Version 1607 to Windows 11 version 26H1. It also includes Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025, including relevant Server Core installations.
Microsoft and NVD identify the patched build boundaries as follows:
  • Windows 10 Version 1607 and Windows Server 2016 are protected at OS Build 14393.9339 or later.
  • Windows 10 Version 1809 and Windows Server 2019 are protected at OS Build 17763.9020 or later.
  • Windows 10 versions 21H2 and 22H2 are protected at OS Builds 19044.7548 and 19045.7548 respectively.
  • Windows 11 versions 24H2 and 25H2 are protected at OS Build 26100.8875 and 26200.8875 respectively.
  • Windows 11 version 26H1 is protected at OS Build 28000.2269 or later.
  • Windows Server 2022 is protected at OS Build 20348.5386 or later.
  • Windows Server 2025 is protected at OS Build 26100.33158 or later.
For mainstream Windows 11 installations, the relevant July package is KB5101650, which advances Windows 11 24H2 to Build 26100.8875 and Windows 11 25H2 to Build 26200.8875. Microsoft says the cumulative update contains the latest security fixes along with changes previously delivered in June’s optional preview update.
Windows 10 Version 21H2 and 22H2 systems receive the fix through KB5099539, producing Builds 19044.7548 and 19045.7548. These Windows 10 branches now primarily represent Enterprise LTSC, IoT Enterprise LTSC, and devices enrolled in the Extended Security Updates program rather than ordinary unsupported consumer installations.
Windows Server 2022 receives KB5099540 and Build 20348.5386. Windows Server 2016 is covered by KB5099535 at Build 14393.9339, while Windows Server 2025 reaches Build 26100.33158 through KB5099536.
Windows 11 version 26H1 has an unusual chronology in the affected record. The vulnerability record marks Build 28000.2269 as the fixed boundary, corresponding to KB5095051 from June 9, 2026, even though Microsoft published the CVE on July 14. The July cumulative update, KB5101649, moves the branch further to Build 28000.2525 and therefore also includes the protection.
This is a reminder that a CVE’s publication date does not always match the first update containing its correction. Microsoft may ship code changes before publicly documenting the security consequence, particularly when coordinating disclosure or grouping vulnerabilities into a later Security Update Guide release.

Patch Deployment Is the Only Documented Remediation​

Microsoft has not published a registry mitigation, Group Policy control, File Explorer configuration change, or service-disablement workaround for CVE-2026-50389. Installing the applicable cumulative update is therefore the only documented remediation.
For managed environments, the immediate task is inventory. Administrators should compare the build returned by winver, PowerShell, endpoint-management tooling, or vulnerability scanners against the fixed-build boundary for each Windows branch. Merely seeing a July update in installation history is less dependable than confirming the resulting OS build, particularly on machines that experienced rollback, servicing failure, or update deferral.
The local attack vector lowers exposure compared with an unauthenticated network vulnerability, but it does not make the issue irrelevant. Shared workstations, Remote Desktop Session Host systems, jump servers, development machines, virtual desktop pools, and servers accessed by multiple operational teams all provide plausible situations in which a low-privileged account and higher-value data coexist.
CVE-2026-50389 may also be more useful as one stage of an attack chain than as a standalone intrusion method. A threat actor who has already obtained local execution could potentially use an information leak to gather data for privilege escalation or lateral movement, although Microsoft has not disclosed whether this particular flaw exposes credentials, memory contents, file metadata, or another class of information.
Organizations should deploy the July cumulative updates through Windows Update for Business, Microsoft Intune, Configuration Manager, WSUS, or their normal patch-management platform. Internet-facing systems may not be uniquely exposed by this CVE, but multi-user and administrator-accessible machines deserve priority because the vulnerability’s practical value begins after an attacker obtains a local foothold.
The decisive verification is the build number: systems below Microsoft’s stated thresholds remain exposed, while systems at or above them have the File Explorer correction. Until Microsoft publishes deeper technical details, patch status—not behavioral monitoring—is the clearest control administrators have for CVE-2026-50389.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top