On July 14, 2026, Microsoft rolled out a security update that plugs a sensitive information leak in Windows Push Notifications, a flaw that could let an already-logged-in user pull confidential data from the system. CVE-2026-50339, rated medium severity with a CVSS score of 5.5, carries a high confidentiality impact, meaning that while it doesn’t let attackers modify files or crash the machine, it can expose data that should stay private. The bug touches every current Windows client and server release—from Windows 10 1809 to Windows 11 version 26H1, and Windows Server 2019 through 2025—making this a patch you can’t skip.

The July 2026 Patch: What It Closes

Microsoft’s security advisory confirms the vulnerability lies within the Windows Push Notifications component, the service that handles toast notifications, background alerts, and tile updates. When exploited, an attacker with low-privilege access to the machine can extract information that they shouldn’t be able to see. No user interaction is needed once the attacker is authenticated; they just need to run code on the target device.

The company hasn’t published the exact technical mechanism—whether it’s uninitialized memory, a broken authorization check, or leaked data from interprocess communication—but it’s catalogued under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). Microsoft assigned the CVSS vector string AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, which translates to an attack that’s local (requires access to the target machine), low complexity, privileges required are low (so a standard user account suffices), no user interaction, and no impact on integrity or availability beyond the confidentiality breach.

Every Version That Needs the Fix

Microsoft supplied a comprehensive list of affected versions, along with the build numbers that mark the secure boundary. Any Windows installation running a build below these numbers is vulnerable:

OS Version Minimum Secure Build
Windows 10 1809 17763.9020
Windows 10 21H2 19044.7548
Windows 10 22H2 19045.7548
Windows 11 24H2 26100.8875
Windows 11 25H2 26200.8875
Windows 11 26H1 28000.2269
Windows Server 2019 17763.9020
Windows Server 2022 20348.5386
Windows Server 2025 26100.33158

The patch arrives through the standard cumulative update process. If your system has already applied the July 2026 monthly security update (or any later rollup), you’re covered. There’s no standalone out-of-band fix.

Note that older Windows 10 editions like 1809 and 21H2 are only supported under specific programs such as LTSC or paid extended security updates. If you’re still running them, verify that your licensing entitles you to these patches; otherwise, your exposure persists indefinitely.

The Risk: A Local Attack with High Stakes

CVE-2026-50339 is a local attack vector, which often gets shrugged off as less urgent than a remote code execution bomb. But in many enterprise and shared-computing scenarios, local access is trivial. Think about hospitals with shared nurse workstations, call centers, university computer labs, corporate VDIs, or even a family PC where multiple users log in. An attacker who already has a foothold—maybe through a phishing lure that delivered a trojan, or just a disgruntled employee—can exploit this flaw to read secrets that might belong to another user or the system.

The high confidentiality rating means the leaked data could be genuinely sensitive. While Microsoft hasn’t detailed exactly what data might spill, possibilities include notification payloads from other apps (potentially containing password reset links, two‑factor codes, or private messages), or internal system data that could be leveraged for a more devastating attack. Information-disclosure bugs like this are often chained with other vulnerabilities to bypass security boundaries.

No user interaction is required. Unlike earlier notification-based attacks that trick victims into clicking a toast, this one works silently in the background once the attacker has code execution. That makes it particularly dangerous in environments that allow users to run arbitrary scripts or applications.

Why Your Shared PC Is the Biggest Target

For home users, the risk is lower if you’re the only person using your machine and you practice basic hygiene—don’t download untrusted executables, keep your browser updated. But in a household where kids or guests share a device, someone could run a tool to extract data they shouldn’t see.

For IT administrators, the real danger lies in multi-user systems: Remote Desktop Session Hosts, application servers that allow interactive logins, and developer machines that run untrusted code. In those cases, a low-privilege user could potentially read confidential information from another user’s notification stream, or even from system processes. Domain controllers and highly restricted servers might have fewer attack paths, but they still run the vulnerable component and should be patched on schedule.

The fact that Server Core installations are affected is also critical. Even without a desktop shell, Windows Push Notifications is present, so your stripped-down server isn’t immune just because you can’t see toast notifications. Disabling visible notifications in Settings is not a workaround; Microsoft hasn’t suggested any mitigation other than applying the security update.

How We Got Here

Windows Push Notifications have been a source of security scrutiny before. In recent years, Microsoft has patched similar information-disclosure vulnerabilities in related components, such as the Windows Notification Platform and the Windows Push Notification Service. None of those matches the exact nature of CVE-2026-50339, but the recurrence underscores a persistent challenge: notification systems often bridge data between apps and users, and any flaw in that bridge can inadvertently expose confidential information.

The July 2026 patch is part of Microsoft’s regular Patch Tuesday release. The vulnerability was likely reported through the Microsoft Security Response Center (MSRC) responsible disclosure program, though the original reporter is not credited in the advisory. The NIST National Vulnerability Database has not yet added its own analysis, which is typical for newly published CVEs; enrichment often takes weeks. This leaves defenders relying on Microsoft’s own assessment, which is adequate for prioritizing patches but lacks the finer detail needed to create behavioral detection rules.

What to Do Now

The most straightforward action: install the latest cumulative update. Microsoft’s patching model means you don’t need to hunt for a special fix. Windows Update will deliver it automatically for consumer and most domain-joined machines. For managed environments:

  1. Verify current build: Use winver or Get-ComputerInfo -Property OsName, OsVersion, OsHardwareAbstractionLayer in PowerShell to check the build number against the table above.
  2. Push the July 2026 cumulative update via Windows Update for Business, WSUS, or your endpoint management tool (Intune, ConfigMgr). The KB numbers aren’t listed in the advisory, but Microsoft typically publishes them alongside the Patch Tuesday release notes; search for the 2026‑07 update for your OS version.
  3. Prioritise: Focus on endpoints that allow multiple users to log in interactively—RDS hosts, VDI pools, developer workstations, and shared kiosk PCs. Isolate or closely monitor any that can’t be patched immediately.
  4. Audit server installations: Even if you’ve disabled the desktop experience, Windows Server Core runs the vulnerable code. Scan your entire server fleet to ensure nothing has been missed.

If you can’t deploy updates right away, consider reducing the attack surface by enforcing software restriction policies that prevent unauthorised code execution. Application control solutions like Microsoft Defender Application Control or AppLocker can limit the ability of an attacker to run a malicious tool in the first place, but they do not fix the underlying vulnerability—patching remains the only reliable fix.

Outlook: What to Watch Next

CVE-2026-50339’s technical details remain sparse, which is typical for Microsoft patch day disclosures. Over the coming weeks, either Microsoft may publish an updated advisory with deeper technical analysis, or security researchers might reverse-engineer the patch and release a proof of concept. Once that happens, the risk window tightens for organisations that haven’t patched, because even unsophisticated attackers could weaponize the information.

There’s also a chance that further investigation reveals the exact data that can be leaked. If it includes highly sensitive information like encryption keys, authentication tokens, or sensitive user content, the severity could be re-evaluated upward. Already, the high confidentiality impact tells us this isn’t a trivial bug.

Keep an eye on your SIEM or threat intelligence feeds for any mention of CVE-2026-50339 exploitation. If you see it appearing in attacker toolkits, it’s time to accelerate your patching—but hopefully, you won’t have to scramble because you’ll have already deployed the July updates.