Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.
AnalysisAI
Windows File Explorer exposes sensitive information to authenticated local users with low privileges, allowing them to read confidential data without modification or service disruption. This affects multiple Windows 10 and Windows 11 versions, as well as Windows Server 2012 through 2025. Microsoft has released patches addressing the information disclosure vector; exploitation requires local system access and valid user credentials.
Technical ContextAI
The vulnerability resides in Windows File Explorer's handling of sensitive data, classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The flaw allows authenticated users with limited privileges to bypass information access controls and read files or data they should not have permission to view. This is a local attack vector affecting the Windows shell and file management subsystem across numerous versions and editions, including Server Core installations. The CVSS vector (AV:L/AC:L/PR:L) indicates the attack requires local access to the system and valid user credentials, with low attack complexity, meaning no special conditions are needed to exploit once access is established.
RemediationAI
Apply Microsoft-released patches immediately. For Windows 10 Version 1607, patch to build 14393.9060 or later; for Version 1809, 17763.8644 or later; for Version 21H2, 19044.7184 or later; for Version 22H2, 19045.7184 or later. For Windows 11 Version 22H3 and 23H2, patch to build 22631.6936 or later; for Version 24H2, 26100.32690 or later; for Version 25H2, 26200.8246 or later; for Version 26H1, 28000.1836 or later. Windows Server 2012 and R2 require build 9200.26026 and 9600.23132 respectively; Server 2016 requires 14393.9060; Server 2019 requires 17763.8644; Server 2022 requires 20348.5020; Server 2025 requires 26100.32690. Patches are available via Windows Update and the MSRC portal at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32084. No public workarounds are documented; patching is the primary remediation path.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22516