CVE-2026-50456: July Updates Fix Windows File Explorer Data Leak

CVE-2026-50456 is a Windows File Explorer information-disclosure vulnerability that can let a locally authenticated attacker expose sensitive data, and Microsoft has shipped the fix in its July 14, 2026 security updates. The flaw is rated Important by Microsoft with a CVSS 3.1 base score of 5.5, placing it below the remote-code-execution and privilege-escalation bugs likely to dominate this month’s patching discussions.
Detailed in Microsoft’s Security Update Guide and recorded by the National Vulnerability Database, CVE-2026-50456 affects supported Windows client and server releases ranging from older Windows 10 and Windows Server editions to Windows 11 26H1 and Windows Server 2025. Microsoft describes the underlying weakness as exposure of sensitive information to an unauthorized actor in Windows File Explorer.
This is not a remotely exploitable drive-by flaw. Microsoft’s scoring says an attacker needs local access and low-level privileges, while no user interaction is required once the necessary conditions have been established. The potential confidentiality impact is nevertheless rated high, meaning successful exploitation could reveal data well beyond a trivial filename or interface detail.

Cybersecurity operations center showing protected files, patch deployment, and vulnerability monitoring.Local Access Narrows the Door, Not the Damage​

The CVSS vector for CVE-2026-50456 is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. In practical terms, exploitation must originate locally, has low attack complexity, requires an account with limited privileges, and does not need the victim to click a file or approve a prompt.
The vulnerability does not directly allow an attacker to modify files, disrupt Windows, or obtain administrator rights. Its security impact is confined to confidentiality, but Microsoft assigns that confidentiality loss the highest CVSS impact level. That distinction matters: a medium numerical score does not mean the exposed information is necessarily unimportant.
Microsoft has not publicly described exactly what data File Explorer may disclose, which code path is responsible, or how an attacker would reach the vulnerable state. The vulnerability is categorized under CWE-200, the broad weakness class used when software exposes sensitive information to an actor that should not receive it.
That limited disclosure is normal for newly patched Windows vulnerabilities, particularly when Microsoft wants systems updated before publishing implementation details that could accelerate exploit development. It also means administrators should avoid assuming the issue is limited to Explorer’s visible user interface. File Explorer sits on top of Windows shell, namespace, metadata and file-handling components that can process local, removable and network-backed content.
The supplied exploitability information offers some reassurance. Microsoft’s assessment indicates that CVE-2026-50456 was neither publicly disclosed nor known to be exploited when the July updates were released. Its temporal vector also marks exploitation as unproven while treating the vulnerability report itself as confirmed.
That is the useful interpretation of the vulnerability’s confidence metric: the flaw is vendor-confirmed, but working exploitation has not been demonstrated publicly. It should not be confused with uncertainty over whether the vulnerability exists.

File Explorer Collected a Crowd of July Fixes​

CVE-2026-50456 was not the only File Explorer disclosure issue patched this month. Microsoft’s July release also lists CVE-2026-33842, CVE-2026-40422, CVE-2026-41087, CVE-2026-50389, CVE-2026-50442, CVE-2026-50473 and CVE-2026-57084 under the same Windows File Explorer information-disclosure category.
SANS Internet Storm Center recorded these File Explorer vulnerabilities as Important-rated issues with broadly similar CVSS characteristics. That concentration suggests Microsoft corrected several distinct disclosure paths in or around Explorer rather than assigning multiple identifiers to one isolated defect.
The wider July 2026 Patch Tuesday release is unusually large. BleepingComputer counted 570 Microsoft vulnerabilities released on July 14, including 102 information-disclosure flaws, while SANS counted a larger total after including additional product and release categories. The differing totals reflect what each organization includes in its monthly count, not a disagreement over CVE-2026-50456 itself.
For patch teams, the sheer size of the release makes prioritization unavoidable. CVE-2026-50456 is not one of July’s known exploited zero-days, but it is also unlikely to justify a separate deployment because the correction arrives through the same cumulative Windows security updates needed for higher-risk flaws.
That cumulative servicing model is important. An organization cannot generally select the File Explorer fix while deferring the rest of the Windows package; installing the relevant July cumulative update advances the operating system to a build containing the correction and the month’s other Windows fixes.

The Affected Range Reaches Deep into Windows Estates​

Microsoft’s CVE data identifies a wide selection of affected client and server platforms, including Windows 10 Version 1607, Windows 10 Version 1809, Windows 10 Version 21H2, Windows 10 Version 22H2, Windows 11 Version 24H2, Windows 11 Version 25H2 and Windows 11 Version 26H1. Windows Server 2012, Server 2012 R2, Server 2016, Server 2019, Server 2022 and Server 2025 are also represented, including applicable Server Core installations.
The fixed-build boundaries include:
  • Windows 10 Version 21H2 systems must reach build 19044.7548 or later.
  • Windows 10 Version 22H2 systems must reach build 19045.7548 or later.
  • Windows 11 Version 24H2 systems must reach build 26100.8875 or later.
  • Windows 11 Version 25H2 systems must reach build 26200.8875 or later.
  • Windows 11 Version 26H1 systems must reach build 28000.2269 or later.
  • Windows Server 2019 receives the correction in KB5099538, which advances it to build 17763.9020.
  • Windows Server 2022 receives the correction through KB5099540, corresponding to build 20348.5386.
  • Windows Server 2025 receives the correction through KB5099536.
Some listed Windows 10 and legacy Windows Server releases require an applicable support or Extended Security Updates entitlement. Merely finding an affected version in vulnerability data does not guarantee that an unmanaged system will receive the update automatically.
Administrators can check a device’s current release and build by running winver, querying their endpoint-management inventory, or reviewing CurrentBuild and UBR under the Windows NT current-version registry key. Update compliance reports from Windows Update for Business, Microsoft Intune, Configuration Manager and Windows Server Update Services should be checked against the corrected build rather than relying only on a successful installation status.

Treat It as a Post-Compromise Disclosure Primitive​

Because CVE-2026-50456 requires local privileges, it is more relevant to multi-stage attacks than to initial network intrusion. An attacker who already has access through stolen credentials, malware, a malicious remote session or another vulnerability could potentially use the flaw to obtain information unavailable to that account.
That makes the bug particularly relevant on shared workstations, Remote Desktop Session Host systems, jump boxes and servers where lower-privileged users operate alongside accounts or services handling sensitive material. Server Core being listed as affected is also a reminder that the vulnerable functionality is not necessarily limited to someone manually browsing folders on a full desktop.
There is no published workaround or standalone mitigation that provides the same assurance as installing the security update. Least-privilege controls, application allowlisting, credential protections and restrictions on interactive server logons can reduce the chance that an attacker reaches the required local foothold, but they do not remove the vulnerable code.
CVE-2026-50456 does not warrant panic or an emergency deployment ahead of July’s actively exploited vulnerabilities. It does warrant inclusion in the normal accelerated Patch Tuesday cycle, especially because the same cumulative update closes far more dangerous Windows weaknesses. The immediate milestone for IT teams is therefore straightforward: validate the July 14 updates against business-critical applications, deploy them in staged rings, and confirm that endpoints have reached the corrected OS builds rather than merely reporting that an update scan completed.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top