CVE-2026-50430: July 2026 Updates Fix Windows Data Leak

CVE-2026-50430, an Important-rated information disclosure vulnerability in Windows Push Notifications, was fixed in Microsoft’s July 14, 2026 security updates across supported Windows 10, Windows 11, and Windows Server releases. The flaw requires an attacker to have local access and valid credentials, but successful exploitation could expose sensitive information without further user interaction.
Microsoft disclosed the vulnerability through the Microsoft Security Response Center as part of July 2026 Patch Tuesday. The National Vulnerability Database has reproduced Microsoft’s initial assessment but is still awaiting its own enrichment, leaving the vendor advisory as the primary technical source.
The immediate action is straightforward: administrators should deploy the July cumulative Windows updates and verify that endpoints have reached the corrected OS build for their release. There is no separate configuration change or documented workaround that substitutes for patching.

Cybersecurity network graphic showing devices and servers protecting against vulnerability CVE-2026-50430.Local Access Limits the Attack, Not the Data Loss​

Microsoft describes CVE-2026-50430 as an exposure of sensitive information to an unauthorized actor in Windows Push Notifications. An authorized attacker can exploit the weakness locally, meaning this is not a vulnerability that an unauthenticated Internet user can directly trigger against an exposed Windows machine.
The CVSS 3.1 score is 5.5, with the vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. In practical terms, exploitation requires local positioning, has low attack complexity, needs low privileges, and does not depend on another user clicking a link, opening a file, or accepting a notification.
The score also identifies high confidentiality impact as the principal risk. Microsoft has not attributed integrity or availability impact, so the disclosed issue does not directly permit an attacker to alter protected information, elevate privileges, execute arbitrary code, or crash the system.
That distinction matters, but it should not turn CVE-2026-50430 into a routine low-priority item. Local information disclosure vulnerabilities are often useful after an attacker has obtained an initial foothold through malware, a stolen account, a malicious application, or a separate remote-access flaw. Data exposed by one bug can provide the memory contents, credentials, tokens, addresses, or operational context needed to make another attack more reliable.
Microsoft has not publicly detailed exactly what information can be recovered from the Windows Push Notifications component. There is also no public proof of concept in the initial advisory, and CVE-2026-50430 was not identified among the actively exploited zero-days highlighted in reporting on the July release.
The absence of those details narrows what defenders can confidently claim. It does not establish that exploitation is impossible or that the exposed information is harmless.

The Patch Reaches Across Client and Server Windows​

The affected-product record spans multiple generations of Windows, including current Windows 11 releases and older Windows 10 and Windows Server branches. The breadth suggests that the vulnerable notification code is shared or closely related across several supported servicing lines rather than being confined to a recent Windows 11 feature.
Microsoft and the NVD identify affected installations below these corrected build levels:
  • Windows 10 Version 1607 is affected before build 14393.9339.
  • Windows 10 Version 1809 is affected before build 17763.9020.
  • Windows 10 Version 21H2 is affected before build 19044.7548.
  • Windows 10 Version 22H2 is affected before build 19045.7548.
  • Windows 11 Version 24H2 is affected before build 26100.8875.
  • Windows 11 Version 25H2 is affected before build 26200.8875.
  • Windows 11 Version 26H1 is affected before build 28000.2269.
  • Windows Server 2016 is affected before build 14393.9339.
  • Windows Server 2019 is affected before build 17763.9020.
  • Windows Server 2022 is affected before build 20348.5386.
  • Windows Server 2025 is affected before the applicable corrected July build, including build 26100.33158 in Microsoft’s affected-version record.
Server Core installations of Windows Server 2016, Windows Server 2019, and Windows Server 2025 are also included. The presence of Server Core is a useful warning for administrators who might otherwise associate Windows Push Notifications only with desktop toast notifications and consumer applications.
The vulnerable component’s name does not mean that affected servers must be actively displaying pop-up notifications. Security applicability is determined by the Windows binaries and servicing branch installed on the machine, not by whether an administrator knowingly uses the feature.
Some of the Windows 10 editions listed in the CVE record are no longer generally serviced for ordinary consumer installations. They can remain relevant in Long-Term Servicing Channel, embedded, enterprise, or Extended Security Updates environments, so organizations should match the update against the exact edition and support entitlement rather than relying on the marketing version alone.

Report Confidence Does Not Mean Active Exploitation​

The report confidence language shown in Microsoft’s advisory describes confidence in the vulnerability’s existence and the credibility of the available technical findings. A “Confirmed” assessment means Microsoft, as the vendor, has acknowledged the flaw or that sufficiently reliable technical evidence exists to reproduce it.
It should not be confused with Microsoft’s exploitation status. Report confidence answers whether the vulnerability is considered real; it does not say that attackers are using it in the wild, that exploit code is public, or that exploitation is imminent.
For CVE-2026-50430, the supplied CVSS vector points to a relatively constrained attack path. An attacker needs an existing local account or another way to execute code under a low-privileged context. No victim interaction is required once those conditions are met, which makes the vulnerability potentially suitable for incorporation into a post-compromise toolkit.
The weakness is categorized as CWE-200, Exposure of Sensitive Information to an Unauthorized Actor. That is a broad classification rather than a root-cause explanation. Microsoft has not said whether the Windows Push Notifications flaw involves uninitialized memory, an out-of-bounds read, incorrect access control, or another implementation error.
That missing root-cause detail also limits detection options. Without a documented process sequence, event-log signature, file artifact, or exploit pattern, security teams cannot build a reliable CVE-specific hunting query from the initial advisory. Endpoint detection and response tools may identify suspicious local execution surrounding exploitation, but they cannot be assumed to recognize the information leak itself.

Servicing Verification Is the Practical Control​

CVE-2026-50430 is delivered through the normal cumulative Windows servicing channel, so installing the relevant July 14 update also brings the device to a build that includes other security and quality changes. Administrators should test the cumulative package against business-critical applications, but deferring this flaw indefinitely because it is “only local” ignores how information disclosures are used in multi-stage attacks.
Inventory systems should compare the actual OS build, not merely report that Windows Update last ran successfully. Devices can appear compliant while missing a cumulative update because of installation failures, servicing-stack problems, pending restarts, update deferrals, or stale management data.
For managed fleets, the useful checks are whether the July 2026 cumulative update installed successfully, whether a restart remains pending, and whether the resulting build meets or exceeds Microsoft’s corrected threshold. Windows Server estates deserve the same review, including Server Core hosts and systems where notification functionality appears operationally irrelevant.
CVE-2026-50430 is not the kind of unauthenticated remote-code-execution flaw that justifies emergency isolation by itself. It is, however, a confirmed Windows confidentiality bug with low attack complexity and no user-interaction barrier after local access is obtained. The July 14, 2026 cumulative updates remain the concrete boundary between affected and corrected systems.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top