Microsoft’s July 2026 Patch Tuesday rollout includes a fix for a Windows vulnerability that lets an attacker with basic local access extract sensitive information without any user interaction. The flaw, tracked as CVE-2026-50430, affects every supported client and server release, from decade-old Windows 10 1607 builds to the newest Windows 11 26H1 and Windows Server 2025.

What changed in the July updates?

The July 14, 2026 cumulative updates close an information-disclosure weakness inside Windows Push Notifications. Microsoft rates the issue Important and assigns it a CVSS 3.1 score of 5.5. The affected component handles toast notifications and background notification plumbing, but exploitability does not depend on whether you actually see alerts on your screen.

These are the minimum build numbers you must reach to be protected, straight from Microsoft’s advisory:

Windows edition Affected before build
Windows 10 1607 14393.9339
Windows 10 1809 17763.9020
Windows 10 21H2 19044.7548
Windows 10 22H2 19045.7548
Windows 11 24H2 26100.8875
Windows 11 25H2 26200.8875
Windows 11 26H1 28000.2269
Windows Server 2016 14393.9339
Windows Server 2019 17763.9020
Windows Server 2022 20348.5386
Windows Server 2025 26100.33158 (Microsoft’s listed threshold)

Server Core installations of Windows Server 2016, 2019, and 2025 are also in scope. If you run a Server Core machine, don’t skip this patch just because you assume “push notifications” means consumer desktop pop-ups.

The CVSS vector—AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N—spells out the attack conditions: local access only, low attack complexity, low privileges required, and no victim interaction. The sole impact is high confidentiality loss; integrity and availability are not directly affected.

What the bug means for you

For home users and small offices

If you use Windows 10 or Windows 11 at home and keep Windows Update on its default automatic setting, install the July cumulative update, reboot, and you’re done. The fix arrives through the same servicing channel that delivers monthly security patches. There’s no separate toggle to flip or feature to disable.

The risk is real but contained: an attacker must already have a foothold on your PC—think malware, a stolen local account, or a rogue app running under a limited user profile. Once that low-privileged code is running, CVE-2026-50430 can silently pull confidential data from the system without popping a dialog, launching a browser, or asking you to click anything. That leaked information might include memory contents, security tokens, or internal addressing details that help an attacker refine a more dangerous exploit.

Still, this is not an internet-facing nightmare. Nobody can scan your home network and trigger the vulnerability remotely, and Microsoft has not flagged it as actively exploited at the time of disclosure. However, because the attack complexity is low, any malware that achieves local execution could drop a payload that abuses this bug trivially.

For IT admins and managed fleets

The patching decision is binary: apply the July 2026 cumulative update or remain exposed to a confirmed information leak with no workaround. The “Important” rating means you should treat it as a standard deployment, but one that deserves priority ahead of low-severity fixes. Here’s what to do:

  • Inventory builds, not patch status. A device can report “up to date” while sitting on a failed install, a pending restart, or an older build because of feature-update deferral. Query the actual OS build number of every endpoint and compare it against the table above.
  • Include servers, especially Server Core. Administrators who manage Windows Server 2016/2019/2025 often exclude “desktop” components. But the vulnerable code ships as part of the servicing branch on those editions. If you patch Server with Desktop Experience, you must also patch Server Core—the vulnerable binaries are present.
  • Check Long-Term Servicing Channel (LTSC) and enterprise extended-security-update (ESU) machines. Windows 10 1607 and 1809, for example, are well past consumer support but may still be alive inside your factory floors, hospital imaging bays, or ATM fleets. Those devices need the same cumulative update.
  • Watch for testing delays. The cumulative package includes other security and quality fixes. Do your normal application compatibility testing, but don’t let “it’s only a local bug” turn testing paralysis into patch paralysis. Multi-stage attacks routinely chain a local information disclosure like this with a remote code execution bug to go from guest to domain admin.

Because Microsoft hasn’t published root cause details—no out-of-bounds read description, no specific memory region, no event-log artifact—defenders cannot write a reliable detection query signature just from the advisory. Endpoint detection and response (EDR) tools may flag unusual local process behavior around the push-notification service, but you cannot count on them to catch the precise data leak. Patching remains the only sure defense.

For developers and software vendors

If you write code that interacts with Windows Push Notifications—perhaps a notification broker, a toast helper library, or a service that subscribes to raw push channels—validate that your software continues to work after the update. The fix might touch internal structures that your debugging tools or test harnesses depend on. No public API changes have been announced, but test your continuous-integration pipeline against the new builds.

How we got here

The Windows Push Notifications component has existed in the operating system for years, handling everything from new-email alerts to breaking-news toasts and app-triggered notifications. As cloud services and real-time alerting grew, the underlying plumbing became more complex and more deeply integrated into the Windows shell.

Information-disclosure bugs in such background plumbing are not uncommon. In 2022, a similar local-leak CVE in the Windows Print Spooler service allowed unauthorized file reading. In 2024, a vulnerability in the Windows DWM Core library exposed data across process boundaries. Each time, the pattern repeats: a component that many users never think about contains a sliver of code that, when prodded by a local attacker, spills secrets.

CVE-2026-50430 follows that template. Microsoft’s advisory confirms the flaw exists and that it has been repaired in the July cumulative update. The National Vulnerability Database has populated its entry with the same data but hasn’t yet added third-party analysis, so the Microsoft advisory remains the primary technical source.

The assigned CWE is CWE-200, Exposure of Sensitive Information to an Unauthorized Actor. That classification tells you what happens, but not how it happens. Without a root-cause breakdown—e.g., “uninitialized kernel buffer returned to user mode” or “improper ACL on a notification channel”—security researchers and internal incident-response teams can’t write a quick scanner. That’s deliberate on Microsoft’s part; detailed technical notes often precede proof-of-concept code.

What to do now

  1. Install the July 14, 2026 cumulative update for your Windows edition. Use Windows Update for individual machines or your regular patch-management tool for fleets. The update contains the fix along with all other July security patches.
  2. Reboot and verify the build number. After restarting, check that the OS build equals or exceeds the threshold for your edition (see table above). If a device fails to reach the corrected build, troubleshoot the installation—don’t assume it’s patched.
  3. Do not rely on a feature workaround. There is no checkbox, Group Policy, registry key, or firewall rule that blocks exploitation of CVE-2026-50430. Disabling push notifications through Settings > System > Notifications does not remove the vulnerable code.
  4. Audit your server estate. Pull a fresh inventory of Windows Server 2016, 2019, 2022, and 2025 machines, specifically including any that run Server Core. Patch them on the same accelerated timeline you use for client desktops.
  5. Reassess your risk posture after patching. If an attacker already compromised a low-privileged account before you installed the July update, they may have exfiltrated data using this vulnerability. Review EDR logs for the period just before patching, looking for unusual process spawns or unexpected access to notification-related services. The lack of a specific detection signature means you’ll need to hunt for anomalies.

Outlook

CVE-2026-50430 is not the kind of five-alarm remote-code-execution vulnerability that makes organizations shut down servers overnight. But its “low complexity, no user interaction” profile makes it a prime ingredient in post-compromise toolkits. As we move through the second half of 2026, expect researchers to dig deeper into the fix and perhaps produce proof-of-concept code that demonstrates exactly what kind of data spills. Once that happens, the risk calculus shifts for unpatched machines. Apply the July update now, while the only public sign of the bug is a single advisory, and remove a reliable data-exfiltration lever from the hands of anyone who manages to log into your network.