CVE-2026-50473: KB5101650 Fixes Windows File Explorer Leak

CVE-2026-50473 exposes sensitive information through Windows File Explorer and is fixed by Microsoft’s July 14, 2026 security updates. The flaw carries a CVSS 3.1 score of 5.5 and affects supported Windows 10, Windows 11, and Windows Server releases, including Server Core installations.
Detailed in Microsoft’s Security Update Guide and corroborated by the National Vulnerability Database, the vulnerability allows an already authorized attacker to disclose information locally. Microsoft classifies it as CWE-200, Exposure of Sensitive Information to an Unauthorized Actor.
The practical action is straightforward: install the July cumulative update applicable to each Windows release. For Windows 11 versions 24H2 and 25H2, that means KB5101650, which advances the operating systems to builds 26100.8875 and 26200.8875 respectively.

Digital file management and backup illustrated with folders, servers, a security shield, and refresh calendar.Local Access Narrows the Attack, Not the Data Loss​

Microsoft’s CVSS vector for CVE-2026-50473 is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. That dense string describes a vulnerability requiring local access and low-level privileges, with low attack complexity and no additional user interaction.
In practical terms, CVE-2026-50473 is not presented as a drive-by Internet attack. An attacker must already possess some ability to operate on the target machine, whether through a local account, an existing foothold, remote interactive access, or malicious code running in a user context.
That prerequisite lowers the overall score, but the confidentiality rating is High. Microsoft’s scoring indicates that successful exploitation can produce a serious disclosure of information, even though it does not directly modify data, execute code with elevated privileges, or make the system unavailable.
This distinction matters for enterprise triage. CVE-2026-50473 may not be the vulnerability that initially compromises a workstation, but it could potentially assist an attacker who has already entered the environment and is gathering information for lateral movement, credential theft, or a broader intrusion.
No user interaction is required once the attacker has the necessary local privileges. Users do not have to open a malicious attachment, browse to a particular page, or approve a prompt for the vulnerable File Explorer behavior to be reached.
Microsoft has not publicly described the precise information exposed, the relevant File Explorer operation, or a proof-of-concept exploitation path. Administrators should therefore avoid assuming that the issue is limited to filenames, folder metadata, thumbnails, search results, or another familiar Explorer data source. Those details remain undisclosed in the initial advisory.

The Affected List Spans Clients and Servers​

The CVE record covers a wide range of Windows versions, including releases now commonly encountered only in managed, embedded, or extended-support environments. The affected-version boundaries published by Microsoft identify the first builds containing the correction:
  • Windows 10 version 1607 is addressed by build 14393.9339.
  • Windows 10 version 1809 is addressed by build 17763.9020.
  • Windows 10 version 21H2 is addressed by build 19044.7548.
  • Windows 10 version 22H2 is addressed by build 19045.7548.
  • Windows 11 version 24H2 is addressed by build 26100.8875.
  • Windows 11 version 25H2 is addressed by build 26200.8875.
  • Windows 11 version 26H1 is listed as affected below build 28000.2269.
  • Windows Server 2016 is addressed by build 14393.9339.
  • Windows Server 2019 is addressed by build 17763.9020.
  • Windows Server 2022 is addressed by build 20348.5386.
  • Windows Server 2025 is addressed by build 26100.33158.
Microsoft includes both full and Server Core installations for Windows Server 2016, Windows Server 2019, and Windows Server 2025. That is notable because Server Core lacks the normal interactive desktop experience, yet it still contains Windows components and management surfaces that share code with the broader operating system.
Administrators should consequently use the published build boundaries rather than deciding exposure based on whether users routinely launch the graphical File Explorer interface. The vulnerable component’s name does not prove that exploitation requires someone to browse folders interactively.
Windows 11 24H2 and 25H2 systems receive the fix through KB5101650. Microsoft’s release notes describe that package as the July 2026 cumulative security update, combining the month’s security corrections with changes previously distributed in the optional June preview.
There is an important deployment complication for a limited number of Dell systems using Intel processors. Microsoft says KB5101650 may not initially be offered to affected devices because Dell reported an incompatibility that could produce unexpected shutdowns, degraded performance, excess heat, and battery drain. Microsoft and Dell are working on a resolution, so administrators should not bypass the safeguard hold indiscriminately merely to force the CVE fix onto blocked hardware.

“Confirmed” Does Not Mean Exploitation Has Been Seen​

The text describing “the degree of confidence in the existence of the vulnerability” is Microsoft’s generic explanation of the CVSS Report Confidence metric. It is not a technical description of how CVE-2026-50473 works.
A Confirmed rating means the vendor accepts that the flaw exists and that sufficiently credible technical evidence supports the advisory. It does not mean attackers have exploited it in production, that exploit code is publicly available, or that every technical detail has been released.
CISA’s initial Stakeholder-Specific Vulnerability Categorization data recorded no known exploitation, described the issue as not automatable, and assessed its technical impact as partial. The National Vulnerability Database was still awaiting its own enrichment at the time of publication, so Microsoft’s CVSS score and affected-product data remain the primary public assessment.
The absence of observed exploitation should help determine rollout order, but it is not a reason to leave the issue unpatched indefinitely. Information-disclosure bugs are frequently useful as links in an attack chain, especially when they reveal data that helps bypass security boundaries or makes another vulnerability more reliable.
Security teams should also remember that File Explorer is a highly integrated Windows component. It participates in shell operations, file previews, metadata handling, network locations, archives, shortcuts, and extensions installed by third-party applications. Microsoft has not said which of those surfaces is involved here, making speculative workarounds difficult to justify.

Patch Verification Beats Guesswork​

Organizations can validate remediation through their normal endpoint inventory rather than attempting to reproduce an undisclosed information leak. The installed OS build can be checked through winver, Settings, PowerShell, Windows Update reporting, Microsoft Intune, Windows Server Update Services, or an endpoint-management platform.
Machines remaining below Microsoft’s corrected build boundary should be treated as affected. That includes servers where the July update has downloaded but is waiting for a restart, because the updated binaries are not necessarily active until servicing completes.
For higher-risk endpoints, administrators should prioritize systems used by privileged operators, help-desk staff, developers, and server administrators. A local information-disclosure flaw has greater practical value when the compromised user regularly handles sensitive files, deployment credentials, administrative shares, or security tooling.
There is no separately documented workaround in the currently available public record. Attempts to mitigate the issue by disabling thumbnails, preview handlers, Explorer extensions, or network browsing would therefore be unverified and could disrupt business workflows without reliably closing the vulnerable code path.
The defensible response is to deploy the July 14 cumulative updates, confirm the resulting build numbers, and monitor safeguard holds such as the Dell compatibility block. Until Microsoft publishes deeper technical details, patch state is the only dependable indicator of protection against CVE-2026-50473.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: learn.microsoft.com
  3. Related coverage: thewincentral.com
 

Back
Top