CVE-2026-41087
Undergoing Analysis Undergoing Analysis - In Progress

Sensitive Information Disclosure in Windows File Explorer

Vulnerability report for CVE-2026-41087, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-14

Last updated on: 2026-07-15

Assigner: Microsoft Corporation

Description

Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-14
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
microsoft windows_file_explorer *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-41087 is an information disclosure vulnerability in Windows File Explorer. It allows an authorized attacker with local access to disclose sensitive information to an unauthorized actor. This means that if an attacker has limited privileges on a system, they could exploit this flaw to access data they should not be able to see.

The vulnerability is classified with a CVSS v3.1 base score of 5.5, indicating a medium severity level. The vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N shows that the attack requires local access (AV:L), low attack complexity (AC:L), low privileges (PR:L), no user interaction (UI:N), and has a high impact on confidentiality (C:H) but no impact on integrity or availability.

Impact Analysis

This vulnerability can impact you in several ways if you are using a vulnerable version of Windows File Explorer:

  • Unauthorized access to sensitive information: An attacker with local access to your system could exploit this flaw to view or extract sensitive data stored on your device.
  • Potential data breaches: If the exposed information includes personal, financial, or confidential data, it could lead to further exploitation or misuse of that data.
  • Compliance risks: If the disclosed information is protected under regulations like GDPR or HIPAA, unauthorized access could result in compliance violations and associated penalties.

The impact is limited to systems where the attacker already has some level of authorized access, but the vulnerability could allow them to escalate their access to sensitive information.

Compliance Impact

This vulnerability can affect compliance with common standards and regulations in the following ways:

  • GDPR (General Data Protection Regulation): If the exposed information includes personal data of EU citizens, unauthorized disclosure could violate GDPR requirements for data protection and privacy. This may lead to investigations, fines, or legal action.
  • HIPAA (Health Insurance Portability and Accountability Act): If the disclosed information includes protected health information (PHI), this vulnerability could result in a HIPAA violation. Covered entities and business associates could face penalties for failing to protect PHI.
  • Other regulations: Depending on the nature of the exposed data, this vulnerability could also impact compliance with other industry-specific regulations, such as PCI DSS for payment card data or SOX for financial reporting.

Organizations should assess whether the vulnerability exposes regulated data and take steps to mitigate the risk to avoid compliance violations.

Mitigation Strategies

The provided context does not include specific mitigation steps for CVE-2026-41087. However, general best practices for addressing information disclosure vulnerabilities in Windows File Explorer may include:

  • Apply the latest security updates from Microsoft as soon as they are available. Check the Microsoft Update Guide for patches related to CVE-2026-41087.
  • Restrict local access to sensitive files and directories to minimize exposure to unauthorized actors.
  • Monitor Microsoft's security advisories for additional guidance or workarounds.
  • Ensure proper user permissions are enforced to limit the impact of local attacks.
Detection Guidance

This vulnerability involves information disclosure in Windows File Explorer. Detection requires checking for unusual file access patterns or unauthorized data exposure. Monitor File Explorer logs for suspicious activity and review recently accessed sensitive files. No specific commands are provided in the available resources.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41087. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart