CVE-2026-50442: July 2026 Updates Fix Windows File Explorer Data Leak

CVE-2026-50442 exposes sensitive information through Windows File Explorer, but it requires an attacker who already has local access and low-level privileges on the affected machine. Microsoft addressed the flaw in its July 14, 2026 security updates across supported Windows 10, Windows 11, and Windows Server releases.
Detailed in Microsoft’s Security Update Guide, the vulnerability carries a CVSS 3.1 base score of 5.5 and is rated Important by Microsoft. The National Vulnerability Database classifies the underlying weakness as CWE-200, the broad category for exposing sensitive information to an unauthorized actor.
Microsoft has not published the precise data that can be obtained, the vulnerable File Explorer function, or technical reproduction steps. That omission makes the patch the primary defensive action: administrators cannot reliably mitigate a flaw whose affected code path has not been publicly identified.

Digital cybersecurity system showing protected files, servers, devices, alerts, and a locked shield.Local Access Keeps the Initial Risk Contained​

The CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. In practical terms, exploitation is local, has low complexity, requires low privileges, and does not depend on another user clicking a file or responding to a prompt.
A successful attack could produce a high confidentiality impact, but Microsoft assigns no direct integrity or availability impact. CVE-2026-50442 is therefore not described as a route to modify files, execute arbitrary code, crash Windows, or take control of a machine by itself.
That distinction matters. An unauthenticated attacker cannot simply target a vulnerable File Explorer instance across the internet under the published attack model. The attacker must first obtain authorization or another foothold that provides local, low-privilege access.
Once that condition is met, however, the lack of required user interaction makes the vulnerability more useful in a chained intrusion. Malware running as an ordinary user, a compromised account, or an attacker with an interactive session could attempt exploitation without needing cooperation from the person operating the PC.
The confidentiality rating also suggests that administrators should not dismiss CVE-2026-50442 solely because its base score is in the medium range. Information disclosures frequently become supporting components in larger attacks, particularly when the leaked material helps defeat a security boundary, identify sensitive resources, or make another exploit more reliable. Microsoft has not said whether this vulnerability leaks memory, paths, metadata, credentials, or another class of information, so those possibilities remain unconfirmed.

Microsoft Confirms the Flaw but Withholds the Mechanics​

The advisory’s report-confidence component is marked Confirmed. In CVSS terminology, that means detailed reports exist, functional reproduction is possible, source code permits independent verification, or the vendor has confirmed the vulnerability.
Here, Microsoft’s publication of the advisory and security fix provides that confirmation. It does not mean exploit code is publicly available, nor does it reveal how much technical knowledge an attacker currently has.
Microsoft lists the exploit-code maturity as unproven and supplies an official fix. The resulting temporal score is 4.8, below the 5.5 base score. The Zero Day Initiative’s July security-update review likewise recorded CVE-2026-50442 as neither publicly disclosed nor known to be exploited when Microsoft released the patch.
Those designations are snapshots, not permanent guarantees. Security researchers can compare patched and unpatched Windows binaries after Patch Tuesday, a process commonly called patch diffing, to isolate changed functions and reconstruct a vulnerability. The absence of a public exploit on July 14 does not ensure that technical details will remain private.
For defenders, “confirmed” should be read as confidence in the vulnerability’s existence rather than evidence of an active campaign. Microsoft knows enough to ship a correction, but the public does not yet have enough detail to build high-confidence detection rules around the exploit itself.

File Explorer’s Reach Extends Across Client and Server​

The affected-product record is broader than the File Explorer name might initially suggest. Microsoft lists supported Windows client editions alongside multiple generations of Windows Server, including Server Core installations.
Affected systems include:
  • Windows 10 versions 1607, 1809, 21H2, and 22H2 are affected below their July 2026 patched build levels.
  • Windows 11 versions 24H2 and 25H2 are affected below builds 26100.8875 and 26200.8875, respectively.
  • Windows 11 version 26H1 is affected below build 28000.2269.
  • Windows Server 2016 is affected below build 14393.9339.
  • Windows Server 2019 is affected below build 17763.9020.
  • Windows Server 2022 is affected below build 20348.5386.
  • Windows Server 2025 is affected below build 26100.33158.
The inclusion of Server Core is particularly notable because it discourages an overly literal interpretation of “File Explorer vulnerability.” Server Core does not provide the conventional desktop File Explorer experience, yet shared Windows components and supporting code can still be present and vulnerable. Administrators should rely on Microsoft’s affected-product data, not on whether users regularly launch explorer.exe.
Older Windows 10 branches in the record may also appear unusual on ordinary consumer hardware. Versions such as Windows 10 1607 and 1809 remain relevant in specific servicing channels and server-aligned deployments, even though their general consumer editions have long since left mainstream support.
The listed build thresholds provide a straightforward compliance check. Devices at or above the corrected build for their Windows branch contain the fix; machines below it remain exposed unless Microsoft revises the advisory.

Patch Deployment Beats Speculative Workarounds​

Microsoft has not documented a workaround for CVE-2026-50442, and the public description does not identify a feature that administrators can safely disable. Turning off preview handlers, hiding Explorer panes, blocking particular file extensions, or replacing the desktop shell would therefore be speculative rather than evidence-based mitigation.
Organizations should deploy the July 14 cumulative security update through Windows Update, Windows Server Update Services, Microsoft Configuration Manager, or their normal endpoint-management platform. Because Windows cumulative updates contain the underlying fix, administrators do not install a standalone CVE-2026-50442 package.
Patch verification should focus on the installed OS build rather than merely checking that an update installation was attempted. Failed installations, deferred restarts, servicing-stack problems, and devices outside normal management coverage can all leave endpoints below the fixed build.
The local and authenticated prerequisites allow normal staged deployment where operational testing is required, but they do not justify an indefinite delay. Systems carrying sensitive data, shared administrative workstations, multi-user servers, virtual desktop infrastructure, and machines where untrusted users can obtain sessions deserve priority because they offer more opportunities for a low-privilege account to reach information belonging to a higher-value context.
CVE-2026-50442 is not a remote takeover flaw, and Microsoft had seen neither active exploitation nor public disclosure at release. Its immediate consequence is narrower but concrete: every affected Windows installation below the July 2026 build threshold retains a confirmed File Explorer confidentiality weakness for which Microsoft has provided no dependable workaround beyond updating.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top