Every logged-in user on your PC could be snooping through data they shouldn’t see, thanks to a File Explorer flaw Microsoft just patched. The vulnerability, tracked as CVE-2026-41087, was disclosed on July 14, 2026, and affects nearly all supported Windows versions—from Windows 10 to Server 2025. It scores a moderate 5.5 on the CVSS scale, but don’t let that number lull you: an attacker already inside the machine, even with limited privileges, can exploit File Explorer to read sensitive information without any user interaction.

The good news? A simple cumulative update seals the leak. The catch? You must verify exactly which build your device is running—and the patch release timeline is a little tangled.

What Microsoft Fixed

CVE-2026-41087 is an information-disclosure vulnerability in Windows File Explorer. An attacker who can log onto a machine—think a guest account, a compromised standard user, or a malicious insider—can use File Explorer to access data that should be off-limits. Microsoft rates the confidentiality impact as high, meaning the exposed info could include file contents, path names, metadata, or memory-derived secrets that aid further attacks. The flaw cannot be exploited remotely, does not alter files, and won’t hand an attacker admin rights by itself. But as a stepping stone for chained exploits, it’s potent.

The MSRC advisory doesn’t spell out which Explorer feature leaks the data. That means disabling random Explorer options or file associations as a workaround is guesswork and could break your workflow. There’s just one dependable fix: install the July 2026 cumulative update for your Windows edition.

Affected products span everything from Windows 10 version 1607 through Windows 11 version 26H1, plus Windows Server 2016, 2019, 2022, and 2025—including Server Core installations. Yes, even Server Core, which lacks the desktop Explorer, contains the vulnerable shared components.

Who's Actually at Risk

The attack vector is local, and privileges must be low. That makes CVE-2026-41087 most dangerous on machines where multiple people—or less-trusted automated processes—have interactive access. Think:

  • Shared workstations in offices, labs, or classrooms
  • Remote Desktop Session Hosts (terminal servers) where users log into isolated sessions
  • Jump boxes that admins use to access other systems
  • Kiosks or public-facing PCs that allow some shell or Explorer access

A malicious insider with a standard account is the textbook threat. But also consider incident response: if a low-privilege malware finds an unpatched machine, it could vacuum up sensitive files long before defenders realize the breach.

Single-user desktops and laptops are less urgent, but not immune. If ransomware lands via a phishing link and runs as the logged-in user, it gains a wider view of the system than it should. Patch even if you’re the only person who uses your device.

The Patch Lottery

Here’s where things get a bit messy. Microsoft published the vulnerability on July 14, but fixed builds rolled out at different times for different Windows versions. The table below shows the exact build numbers that mark the patched version—anything below is vulnerable.

Windows version Fixed build (or later)
Windows 10 1607 / Server 2016 14393.9339
Windows 10 1809 / Server 2019 17763.9020
Windows 10 21H2 19044.7548
Windows 10 22H2 19045.7548
Windows 11 24H2 26100.8875
Windows 11 25H2 26200.8875
Windows 11 26H1 28000.2269
Server 2022 20348.5386
Server 2025 26100.33158

For most Windows 10 and 11 versions, the July 2026 cumulative update does the job:
- Windows 11 24H2 and 25H2: KB5101650 advances those branches to the safe build.
- Windows 10 21H2 and 22H2: KB5099539 does the same.

But Windows 11 26H1 is an outlier. Microsoft’s records show the patched build (28000.2269) was delivered in the June 9, 2026 cumulative update KB5095051. So if you already installed that June patch, you’re covered—even though the CVE wasn’t published until July. Scanners that only check for a July update may incorrectly flag a 26H1 machine as vulnerable.

How We Got Here

Microsoft has not commented on whether CVE-2026-41087 was exploited in the wild or discovered internally. The timeline suggests the fix was ready ahead of disclosure: the June update for the newest Windows 11 branch carried the code changes, but the MSRC advisory didn’t go live until July 14. That’s common Microsoft practice—prepare fixes for less severe flaws during regular Patch Tuesday cycles and coordinate public disclosure later.

The vulnerability’s CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. Translated: local attack, low complexity, no user interaction, high impact to confidentiality. The 5.5 score reflects the fact that you can’t attack it over the internet; an actor must already be on the box. That makes it less terrifying than a remote zero‑click bug, but it still hands an attacker a free reconnaissance tool.

File Explorer has seen other information-disclosure flaws before, though rarely with this cross‑version impact. In 2024, CVE-2024-21326 allowed a local attacker to read process memory through Explorer. The lesson: Explorer is more deeply integrated into the OS than it appears, and an update can quietly fix a vulnerability you never suspected.

What to Do Right Now

  1. Check your build number. Press Win+R, type winver, and note the full build string. On managed fleets, query with Get-ComputerInfo in PowerShell or through your MDM.
  2. Install the cumulative update. Windows Update, WSUS, or Microsoft Intune—whichever you use. The July 2026 monthly rollup contains the fix. If you’re on 26H1 and already applied June’s KB5095051, you’re done.
  3. Prioritize shared and server systems. That Remote Desktop host or lab PC should be patched first. For home users on a single‑user machine, the risk is lower, but don’t skip the update.
  4. Verify after patching. Recheck the build number to ensure it meets or exceeds the fixed threshold. Don’t assume detection tools have caught up, especially on 26H1.
  5. Consider your incident response playbooks. If you find signs of compromise on an unpatched endpoint, assume an attacker could have read far more than the account’s permission set normally allows.

No Microsoft‑sanctioned workaround exists. Removing File Explorer or changing file associations won’t reliably block the leak and will cripple the machine. Just patch.

What Comes Next

CVE-2026-41087 is unlikely to be the last File Explorer vulnerability. As Windows continues to integrate cloud‑backed features and metadata indexing, the attack surface grows. Keep an eye out for follow‑up advisories that may detail the technical mechanism behind this leak—security researchers often publish breakdowns once the patch has shipped.

For now, the fix is straightforward, and the risk is manageable. But if you manage machines where people you don’t fully trust can log in, apply the update today. An info leak at the file‑system level is exactly the kind of silent enabler that turns a minor breach into a major incident.