Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.
AnalysisAI
Windows File Explorer information disclosure vulnerability in Windows 10 and Windows 11 allows authenticated local users to access sensitive information without authorization. The vulnerability affects multiple Windows 10 versions (1607, 1809, 21H2, 22H2), Windows 11 versions (22H3 through 26H1), and Windows Server 2016 through 2025. Microsoft has released patches addressing this CWE-200 information exposure flaw, with no evidence of active exploitation at the time of analysis.
Technical ContextAI
This vulnerability is classified as CWE-200: Exposure of Sensitive Information to an Unauthorized Actor, a root-cause category describing improper access controls on sensitive data. The flaw exists in Windows File Explorer, the native file system navigation and management component present across all Windows operating systems. The vulnerability requires local system access and authenticated user privileges (CVSS PR:L indicates a low-privileged authenticated user can trigger the issue), meaning the attacker must already have an account and login capability on the target system. File Explorer handles display and retrieval of file metadata, permissions, and attributes; this vulnerability likely stems from inadequate boundary checks or access controls when File Explorer retrieves or displays file information that should be restricted based on user permissions. The broad CPE coverage across Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 22H3, 23H2, 24H2, 25H2, 26H1), and Windows Server editions (2016, 2019, 2022, 2025) indicates the flaw is systemic to the File Explorer component across multiple OS families and release channels.
RemediationAI
Vendor-released patches are available from Microsoft. Update Windows 10 Version 1607 to build 14393.9060 or later, Windows 10 Version 1809 to build 17763.8644 or later, Windows 10 Version 21H2 to build 19044.7184 or later, Windows 10 Version 22H2 to build 19045.7184 or later, Windows 11 Version 22H3 to build 22631.6936 or later, Windows 11 Version 23H2 to build 22631.6936 or later, Windows 11 Version 24H2 to build 26100.32690 or later, Windows 11 Version 25H2 to build 26200.8246 or later, Windows 11 Version 26H1 to build 28000.1836 or later, Windows Server 2016 to build 14393.9060 or later, Windows Server 2019 to build 17763.8644 or later, Windows Server 2022 to build 20348.5020 or later, Windows Server 2025 to build 26100.32690 or later, and Windows Server 2025 23H2 Edition to build 25398.2274 or later. Deploy patches through Windows Update or Microsoft Update Catalog. For additional technical details and patch availability verification, consult Microsoft Security Response Center at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32081.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22513
GHSA-g7jx-wvf2-mwmr