Skip to main content

Microsoft CVE-2026-26160

| EUVDEUVD-2026-22385 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-04-14 microsoft
7.8
CVSS 3.1 · NVD
Temporal: 6.8
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CIRCL (temporal)
6.8 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 17, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 19:13 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:46 euvd
EUVD-2026-22385
Analysis Generated
Apr 14, 2026 - 17:46 vuln.today
Patch released
Apr 14, 2026 - 17:46 nvd
Patch available
CVE Published
Apr 14, 2026 - 16:57 nvd
HIGH 7.8

DescriptionCVE.org

Missing authentication for critical function in Windows Remote Desktop Licensing Service allows an authorized attacker to elevate privileges locally.

AnalysisAI

Local privilege escalation in Windows Remote Desktop Licensing Service affects all supported Windows 10, Windows 11, and Windows Server versions (2012-2025) via missing authentication on a critical function. Authenticated local attackers with low privileges can exploit this CWE-306 authentication bypass to gain SYSTEM-level access with high impact to confidentiality, integrity, and availability (CVSS 7.8). Patch available per vendor; no public exploit identified at time of analysis. The wide foo

Technical ContextAI

This vulnerability stems from CWE-306 (Missing Authentication for Critical Function) in the Windows Remote Desktop Licensing Service, a component responsible for managing Remote Desktop Services (RDS) Client Access Licenses (CALs). The affected service exposes a privileged function callable by low-privileged local users without proper authentication checks. The CVSS vector AV:L/AC:L/PR:L/UI:N indicates local access with low complexity and low privileges required, meaning any authenticated domain or local user can invoke the vulnerable function. The S:U (unchanged scope) indicates the vulnerability is confined to the licensing service's privilege context, but the C:H/I:H/A:H ratings confirm full system compromise potential. Affected products span Windows Server 2012 (build 6.2.9200.0) through Windows Server 2025 (build 10.0.26100.0), Windows 10 versions 1607-22H2, and Windows 11 versions 22H3-26H1, encompassing both desktop and Server Core installations. The licensing service typically runs with elevated privileges, making it an attractive target for local privilege escalation in Remote Desktop Services deployments.

RemediationAI

Apply Microsoft security updates immediately via Windows Update or WSUS to patch the authentication bypass in Remote Desktop Licensing Service. Fixed versions are Windows 10 Version 1607 build 10.0.14393.9060 or later, Windows 10 Version 1809 build 10.0.17763.8644 or later, Windows 10 Version 21H2 build 10.0.19044.7184 or later, Windows 10 Version 22H2 build 10.0.19045.7184 or later, Windows 11 Version 22H3/23H2 build 10.0.22631.6936 or later, Windows 11 Version 24H2 build 10.0.26100.32690 or later, Windows 11 Version 25H2 build 10.0.26200.8246 or later, Windows 11 Version

Share

CVE-2026-26160 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy