Microsoft has shipped a critical security update for Age of Empires II: Definitive Edition to address a remote code execution vulnerability that could allow attackers to compromise a player’s Windows account. The flaw, tracked as CVE-2026-50663 and rated 8.8 (High), requires users to update to game version 101.103.46651.0 or later via Steam or the Microsoft Store.
The Vulnerability: How a Path Traversal Bug Becomes Code Execution
According to the Microsoft Security Response Center advisory published on July 14, 2026, CVE-2026-50663 stems from a relative path traversal weakness (CWE-23). In practical terms, this means the game’s code mishandles file paths in a way that lets an attacker break out of intended directories. An adversary could craft input—possibly a scenario file, a mod, a multiplayer packet, or some other game asset—to read, write, or replace files outside the game’s sandbox.
Microsoft’s CVSS 3.1 assessment paints a sobering picture. The attack vector is network-based, requires low complexity, and demands no privileges. Successful exploitation would hand an attacker high-impact control over confidentiality, integrity, and availability of the victim’s Windows account. However, user interaction is required; this is not a wormable, zero-click attack. The advisory does not reveal precisely which game feature or file format serves as the attack surface, but the message is unambiguous: any version of Age of Empires II: Definitive Edition older than 101.103.46651.0 is vulnerable.
Microsoft’s temporal scores add nuance. Exploit-code maturity is marked “unproven,” meaning no public exploit was known at disclosure time. Report confidence, however, is “confirmed”—the vendor is certain the flaw is real. And the remediation level is “official fix,” so the update isn’t a workaround; it’s a proper patch.
What the Fix Delivers
The update to version 101.103.46651.0 is the security boundary. It does not just block a known exploitation path; it corrects the underlying path-handling logic. Because the specific input vector isn’t disclosed, no configuration change or multiplayer restriction can substitute for installing the fixed build. Once you’re running 101.103.46651.0 or newer, the vulnerability is neutralized.
Microsoft has not released details on whether the same fix also resolves any other non-security bugs. The official Age of Empires website’s update notes and the support page for known issues may provide additional context, but from a security standpoint, the version number is the only reliable indicator. Players should verify the installed build, not just assume Steam or the Microsoft Store has finished updating.
Who Is Affected and What’s at Stake
Home Users and Casual Players
If you play Age of Empires II: Definitive Edition on a personal gaming PC, the risk is real but manageable. The game runs with your user account’s permissions, so successful code execution could access your documents, saved passwords in browsers, cryptocurrency wallets, or cloud-synced folders. The attack requires you to take an action—like joining a game or opening a file—so basic caution helps, but the only true safety net is the patch.
Esports and Shared Gaming PCs
In tournament setups, LAN centers, or family machines where multiple users launch the game, the risk amplifies. If one player’s session is compromised, the attacker’s foothold could persist across restarts. Administrators of these systems should treat this as a high-priority patch, not merely a routine game update. Confirm the build number on every machine; automatic updates from storefronts can silently fail if the client is paused, disk space is low, or the machine is left offline.
Enterprise and Managed Environments
Organizations that allow games on corporate devices face a thornier problem. Age of Empires II might be installed on a developer’s workstation alongside source code, CI/CD credentials, or VPN profiles. RCE through a game could pivot into the corporate network. Endpoint detection and response tools should flag installations below 101.103.46651.0, and application-control policies should block execution of the vulnerable binary until it’s updated. Without vendor-provided indicators of compromise, security teams should avoid overly narrow detections and instead monitor for unusual child processes or file writes from the game executable.
Timeline and Context
The CVE-2026-50663 advisory dropped on July 14, 2026, with no prior public disclosure or evidence of active exploitation. This is a coordinated disclosure: Microsoft had time to develop, test, and release the fix through normal game update channels before the vulnerability became public knowledge.
Historically, path traversal bugs in games aren’t unprecedented. The modding and custom-scenario communities often trade files that interact with the game engine in unexpected ways. While many games sandbox such content, gaps can appear. For Age of Empires II: Definitive Edition—a title with a vibrant multiplayer and scenario-design scene—the attack surface is broad. The lack of technical detail in the CVE entry suggests Microsoft is holding back specifics to buy time for the update to propagate.
Action Plan: How to Secure Your Game
Step 1: Force the Update
- Steam: Right-click the game in your library, select Properties > Updates, and ensure “Always keep this game updated” is set. Check the Downloads page for any pending items. If the version still lags, use “Verify integrity of game files” from the Local Files tab—it often triggers a repair and re-download.
- Microsoft Store / Xbox App: Open the app, go to Library, and click “Get updates.” If the game’s listing doesn’t show an update, restart the client or manually launch the game to force a version check.
Step 2: Confirm the Version Number
Launch Age of Empires II: Definitive Edition. The main menu typically displays the version in the bottom corner. If you see anything lower than 101.103.46651.0, do not engage with online play or open community content. Repeat the update process or, as a last resort, uninstall and reinstall the game.
Step 3: Resist Unofficial Patches
Scammers may offer modified executables or repackaged installers claiming to fix CVE-2026-50663. Never download game binaries from third-party sites. The only legitimate remediation comes through Steam or the Microsoft Store.
Step 4: Review Account Privileges (Optional)
If you regularly launch games from an administrator account, consider switching to a standard user account for day-to-day gaming. This won’t stop an RCE, but it can limit the blast radius if an exploit ever fires.
Looking Ahead
The real story is still unfolding. Microsoft has not committed to releasing technical details after a set period, so the exact nature of the path traversal may remain opaque for months. That’s a double-edged sword: it limits copycat attacks but also prevents the community from inspecting whether similar bugs lurk in other titles using the same engine or tools.
What is certain is that version 101.103.46651.0 is the security watermark. Game developers rarely issue a dedicated CVE for a minor patch, so this update deserves the same urgency as a critical Windows security fix. Until the gaming industry normalizes automated vulnerability reporting and transparent patch notes, players will have to parse CVEs alongside patch notes. For now, updating the game is the only move that matters.