On July 14, 2026, Microsoft’s monthly security updates included a patch for a vulnerability in Active Directory Federation Services (AD FS) that could let an unauthenticated attacker trigger an infinite loop, crashing the service and locking users out of dependent applications. Tracked as CVE-2026-50324, the flaw affects all supported Windows Server releases and carries a CVSS severity score of 5.9—but its potential to disrupt an entire identity infrastructure makes it a priority for immediate patching.
Inside the Flaw: What CVE-2026-50324 Does to AD FS
The root cause, classified as CWE-835, is a loop with an unreachable exit condition in AD FS. An attacker can send a specially crafted request over the network to a vulnerable federation server without needing any credentials or prior authentication. If the conditions are right, that request traps the AD FS process in an infinite loop—consuming processing capacity and preventing legitimate token issuance, authentication, and sign-in requests from completing.
The vulnerability is purely a denial-of-service issue. It does not expose credentials, allow elevation of privilege, or alter data. According to Microsoft’s Security Response Center advisory, the CVSS vector is AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H, meaning the attacker can reach the component over a network, the attack complexity is high, no privileges or user interaction are required, and the impact is solely on availability.
Microsoft has not publicly detailed the specific conditions that must align for exploitation to succeed, nor how long an AD FS service remains impaired after a successful attack. Recovery might require restarting the AD FS service, rebooting the server, waiting for request timeouts, or some other corrective action. That uncertainty complicates incident response, especially for organizations with single-server AD FS deployments.
Your Servers: Affected Versions and Build Boundaries
The vulnerability is present in every supported and extended-support Windows Server release that includes the AD FS role. The following table shows the minimum patched build numbers released on July 14, 2026. Administrators should confirm that all federation servers—whether full installations or Server Core—are at or above these thresholds.
| Windows Server Version | Vulnerable (earlier than) | Patched KB (where available) |
|---|---|---|
| Windows Server 2012 R2 | 6.3.9600.23291 | KB5099444 (Monthly Rollup) |
| Windows Server 2016 | 10.0.14393.9339 | See Microsoft Update Catalog |
| Windows Server 2019 | 10.0.17763.9020 | See Microsoft Update Catalog |
| Windows Server 2022 | 10.0.20348.5386 | KB5099540 |
| Windows Server 2025 | 10.0.26100.33158 | See Microsoft Update Catalog |
Windows 10 Versions 1607 and 1809 also appear in the CVE record because they share serviced components with Windows Server 2016 and 2019, respectively. For most organizations, the real concern is servers that have the AD FS role installed and participate in a federation farm. Windows Server 2012 R2 requires Extended Security Updates for the patch to be available through normal channels.
Why a 5.9 Severity Bug Demands Immediate Action
CVSS scores are useful for prioritizing thousands of patches, but they often understate the business impact of an identity service outage. AD FS sits in the critical path for authenticating users to Microsoft 365, third-party SaaS platforms, and on-premises applications that rely on claims-based authentication. If the federation endpoint becomes unresponsive, helpdesk phones light up, productivity stops, and revenue-generating systems may be cut off.
An unauthenticated attacker needs only network access to a vulnerable AD FS endpoint. No stolen credentials, no phishing lure, no user interaction. This means any AD FS instance that is reachable from the internet or even a large internal network is a potential target. To make matters worse, Microsoft disclosed a separate AD FS elevation-of-privilege vulnerability (CVE-2026-56155) in the same batch, which was already being exploited in the wild. That makes July 2026 an especially urgent month for patching federation servers.
How We Got Here: A Patch Tuesday of Historic Proportions
The July 2026 Patch Tuesday release was one of the largest in recent memory, with hundreds of security fixes across the Microsoft ecosystem. CVE-2026-50324 was a vendor-confirmed but not publicly known or exploited vulnerability at the time of release, according to both Microsoft and CISA. The flaw did not have a proof-of-concept or known attacks in the wild, but the sheer weight of the patch load—and the simultaneous exploitation of another AD FS bug—drove home the message that identity infrastructure must not be left unpatched.
BleepingComputer, which first reported the scale of the July updates, noted that denial-of-service issues featured prominently. The combination of a confirmed infinite-loop condition and the criticality of AD FS means organizations must treat this as more than a routine medium-severity item.
What to Do Now: Patching and Protecting Your Federation Farm
1. Inventory and Assess Every AD FS Node
Before anything else, list all servers that run the Active Directory Federation Services role. Use PowerShell’s Get-AdfsFarmInformation and your configuration management database. Record their OS version, current build number, and servicing channel. If any node is running an older build than the patched boundary for its release, it is vulnerable.
2. Deploy the July 2026 Updates Through Your Normal Change Process
For a multi-node AD FS farm, the safest approach is a rolling update:
- Remove one node from the load balancer
- Apply the July 2026 cumulative security update
- Reboot if required (plan for it)
- Verify that the AD FS service starts, that token signing certificates are still accessible, and that the node rejoins the farm
- Test interactive sign-ins, Office 365 authentication, and a sample relying-party trust
- Check Event Viewer for AD FS Admin events, monitor CPU and request latency, and confirm the load balancer health probe responds
- Once stable, return the node to service and move to the next
For single-server farms, schedule a maintenance window, notify users, and have a clear rollback plan. Post-update validation is non-negotiable: a server that boots and shows a green service icon can still have a broken federation pipeline.
3. If You Cannot Patch Immediately
Reduce exposure without disrupting legitimate traffic:
- Ensure that only the minimum necessary AD FS endpoints are published to the Internet (e.g., the federation metadata endpoint and WS-Federation passive endpoint)
- Implement rate limiting on your Web Application Proxy or load balancer to blunt any DoS attempt
- Monitor for anomalous spikes in authentication latency, CPU usage, or failed sign-in requests
- Prepare a tested recovery runbook: if an AD FS process hangs, know the exact steps to drain the node, restart the service or server, and validate token issuance
These controls are not substitutes for the patch. They reduce, but do not eliminate, risk.
Outlook
The disclosure of CVE-2026-50324 highlights a recurring theme: identity services are high-value targets, and even a medium-severity bug can cascade into a full-blown outage. Microsoft may release additional technical details or detection guidance in the coming weeks, but attackers can also reverse-engineer the patch. Given the high attack complexity, widespread opportunistic exploitation is unlikely, but targeted attacks against organizations with externally facing AD FS are plausible.
Administrators should watch for updates to the Microsoft Security Response Center advisory and for any CISA alerts indicating active exploitation. The next Patch Tuesday is a month away, but if an exploit surfaces sooner, out-of-band patches are possible. For now, the safest course is to ensure every AD FS server in your organization has crossed the patched build boundary.