Microsoft’s July 2026 Patch Tuesday landed with a surprise for Windows users: a freshly disclosed information-disclosure vulnerability in File Explorer that can expose sensitive data to anyone who already has a foothold on your PC. Labeled CVE-2026-50389 and rated Important, the flaw scores 5.5 on the CVSS 3.1 scale, but don’t let the moderate number fool you—the confidentiality impact is rated high. That means an attacker who’s logged in—even with low privileges—can quietly vacuum up data they shouldn’t be able to touch, with no pop-ups or extra clicks from you.

The fix arrives via the July cumulative updates for every supported version of Windows 10, Windows 11, and Windows Server. There’s no registry tweak, no policy setting, and no workaround—patching is the only documented way to close the hole. For home users, that’s one more reason to hit “Check for updates” right now. For IT teams, it’s a sprint to inventory build numbers across shared machines, jump servers, and virtual desktop pools.

The Flaw in a Nutshell

Here’s what’s confirmed, according to Microsoft’s Security Update Guide and the National Vulnerability Database: CVE-2026-50389 is an “exposure of sensitive information to an unauthorized actor” inside Windows File Explorer. To exploit it, a bad actor already needs to be on your computer—physically at the keyboard or via a remote session like RDP—and logged in with a standard (non-administrator) account. The attack is low complexity, and no further user interaction is required. You won’t see a warning, and you don’t have to open a malicious file to trigger it.

The CVSS breakdown tells the story: the vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. Translated: local attack, low attack complexity, low privileges required, no user interaction, scope unchanged, high impact on confidentiality, none on integrity or availability. So while it can’t crash your system or modify files, it can siphon away private data—perhaps file metadata, folder contents, or something even more valuable. Exactly what data is exposed remains unclear; Microsoft has not published the technical root cause, the code path involved, or whether a particular view or shell extension is to blame.

That mystery doesn’t undermine the patch’s importance. Microsoft classifies the vulnerability as “confirmed,” meaning the vendor has validated the report and can reproduce the behavior. The Zero Day Initiative and SANS Internet Storm Center, both tracking July’s Patch Tuesday, noted no evidence of public disclosure or active exploitation at the time of release. So while the bad guys aren’t yet using this in the wild, the clock is now ticking.

Which Windows Installations Are Vulnerable?

The affected-product list is practically a roll call of every supported Windows branch in mid-2026. If you’re on a currently patched Windows 10 or 11 machine, you’re in the danger zone until you install the July update. Here’s the fixed-build boundary for each version—if your OS build number is lower than what’s listed, you’re exposed:

  • Windows 10 Version 1607 (and Windows Server 2016): Protected at OS Build 14393.9339 or later.
  • Windows 10 Version 1809 (and Windows Server 2019): Protected at OS Build 17763.9020 or later.
  • Windows 10 Versions 21H2 and 22H2: Protected at OS Build 19044.7548 and 19045.7548, respectively.
  • Windows 11 Versions 24H2 and 25H2: Protected at OS Build 26100.8875 and 26200.8875, respectively.
  • Windows 11 Version 26H1: Protected at OS Build 28000.2269 or later. (Note: this was initially fixed in the June 9 update KB5095051, but the CVE wasn’t disclosed until July; the July cumulative update KB5101649 also contains the fix.)
  • Windows Server 2022: Protected at OS Build 20348.5386 or later.
  • Windows Server 2025: Protected at OS Build 26100.33158 or later.

For mainstream users, the key packages are KB5101650 for Windows 11 24H2/25H2 and KB5099539 for Windows 10 21H2/22H2. Windows Server admins will look for KB5099540, KB5099535, KB5099536, and others. You can check your build by typing “winver” in the Start menu or running Get-ComputerInfo -Property \"OsBuildNumber\" in PowerShell.

Who Is at Risk?

At first glance, “local access required” might make this seem like a non-issue for a typical home PC sitting in your living room. But think again: any situation where someone else—or some other process—already has a login can be a problem. That includes:

  • Shared family computers where multiple people have separate accounts.
  • Remote Desktop sessions on a home PC (even Windows 10/11 Pro allows one concurrent RDP session).
  • Work-from-home setups where a corporate laptop doubles as a personal device for other household members.
  • Developers or power users who run untrusted code in a sandbox or VM but share folders with the host—a low-privileged process inside the sandbox could exploit the leak to read host data.

For IT administrators, the stakes are higher. Servers, workstations in healthcare or finance, kiosks, and especially “jump servers” (machines used to access other systems) are prime targets. A low-level support account that can log into a server but shouldn’t see confidential files suddenly becomes a vector. And because exploitation needs no user interaction, a compromised low-privilege account can quietly exfiltrate data, potentially as one step in a larger attack chain—escalating privileges or moving laterally across the network.

No Workarounds, Just Patching

Microsoft has not released a registry key, Group Policy adjustment, or even a way to disable a specific File Explorer feature to mitigate CVE-2026-50389. There’s no temporary shield—you either have the patch or you don’t. That makes the July cumulative update mandatory.

Security software can’t detect the exploit yet because the technical details aren’t public. Without knowing what the leak looks like (a specific API call, a file handle, a process interaction), behavioral monitoring is blind. So for now, the only reliable defense is verifying that every machine in your fleet has crossed the fixed-build threshold.

How to Apply the Fix (and Verify It Worked)

For home users and small offices:
1. Open Settings > Windows Update and click “Check for updates.” If the July update is offered, install it and restart.
2. After restarting, type winver in the taskbar search and press Enter. Compare the OS Build number to the table above. For example, if you’re on Windows 11 24H2, you should see 26100.8875 or higher.
3. If the update isn’t offered, you may be on a metered connection or have paused updates. Temporarily allow downloads and try again.

For IT administrators and managed environments:
- Deploy via your preferred channel: Windows Update for Business, Microsoft Intune, Configuration Manager, WSUS, or third-party patch management.
- Prioritize multi-user systems: RDS hosts, shared workstations, developer VMs, and any server with interactive logins.
- Validate with a build-number audit. Don’t rely on update-installation history alone—sometimes updates roll back or fail. Use PowerShell, vulnerability scanners, or Microsoft Defender for Endpoint’s threat and vulnerability management to confirm.
- Pay special attention to Windows Server 2016 and 2019. These are still widely deployed in legacy roles and may be overlooked during patch cycles.

A quick PowerShell one-liner for remote checks (ensure you have appropriate permissions):

Invoke-Command -ComputerName Server01, Server02 { (Get-ItemProperty -Path \"HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\" -Name CurrentBuild).CurrentBuild }

What We Still Don’t Know

Microsoft’s advisory is intentionally sparse. We’re left guessing:

  • What data does File Explorer leak? Could it be the contents of a folder you shouldn’t see, file metadata, or something deeper like memory addresses that could help with other exploits?
  • Is this a bug in a legacy function, a shell extension, or the way Explorer previews files? Without technical details, third-party security researchers can’t yet build detection rules or assess the real-world risk accurately.
  • Why was the Windows 11 26H1 fix baked into a June preview update while the CVE remained under wraps until July? It’s common for Microsoft to include fixes before public disclosure, but the delay raises questions about the coordination timeline.

Such secrecy is standard for newly patched vulnerabilities, but it means administrators are flying partially blind until deeper analysis emerges—likely from Microsoft’s own researchers or the original reporter in the coming weeks.

Outlook: Patch Now, Watch Later

CVE-2026-50389 isn’t a wormable nightmare, but it’s the kind of quiet leak that quietly undermines security post-breach. As long as an attacker is already inside the building (so to speak), this bug hands them a crowbar for locked filing cabinets. Combined with other vulnerabilities, it could become a crucial link in a more sophisticated chain.

For now, the action is straightforward: apply the July 2026 updates and confirm your build numbers. Keep an eye on the Microsoft Security Response Center and your security vendor’s threat intelligence feeds. Once technical details surface, the industry will likely release detection signatures and more specific risk assessments.

In the meantime, treat multi-user systems and administrative jump boxes with extra caution—these are the environments where a low-privilege information leak does its worst work. And as always, limit local account privileges wherever possible, so if someone does slip through, they find fewer doors already unlocked.