Microsoft shipped a critical update for its Defender for Endpoint security software on macOS on July 14, 2026, patching a vulnerability that could let an attacker with low-level access to your Mac siphon off private information. The flaw, tracked as CVE-2026-50657, affects every Defender for Endpoint for Mac release from version 101.0.0 up to — but not including — build 101.26042.0020. The fix is available now through Microsoft AutoUpdate.

The update is not just another routine definition refresh. It replaces vulnerable application code, and Microsoft rates the issue “Important.” While the immediate risk to average Mac users is lower than a network-borne attack, the nature of the exposed data and Defender’s deep reach into the system make this a patch you don’t want to postpone.

A Bug in Your Mac’s Security Software

CVE-2026-50657 is an information-disclosure vulnerability. According to Microsoft’s advisory, an attacker who already has local access and low-level privileges on your Mac could exploit the flaw to access private personal information that normally sits behind a security boundary. The exact data at risk isn’t spelled out publicly, but Microsoft describes the confidentiality impact as “high.” That’s a red flag for any tool that operates with the kind of system-wide visibility that endpoint detection and response (EDR) software commands.

The attack complexity is rated high, and exploitation requires no extra user interaction once the attacker has a foothold. The CVSS 3.1 score comes out to 4.7 (Medium), but Microsoft’s internal severity rating of “Important” reflects the product’s privileged position. A successful breach wouldn’t let an attacker modify files or crash your machine — no integrity or availability impact — but it could expose sensitive details that make other attacks easier.

Crucially, this is not a remote-code-execution hole or a privilege-escalation bug. Two separate Defender for Mac vulnerabilities also disclosed in July (CVE-2026-50658 and CVE-2026-56178) do carry elevation-of-privilege risk, so the overall July patch bundle for macOS is worth reviewing in full.

Who Is at Risk?

If you run Microsoft Defender for Endpoint on your Mac, you’re affected unless you’ve already updated to build 101.26042.0020 or later. This includes personal users who downloaded Defender from Microsoft’s site, as well as devices managed through Intune, Jamf Pro, or another endpoint management platform.

The attack vector is local. That means an attacker must already have a user account on your Mac — either through a compromised guest account, malware that gained low-privilege execution, or a malicious insider. The vulnerability doesn’t open the door to your machine from the internet. But once someone is in, they could exploit CVE-2026-50657 to cross an information boundary and harvest data that Defender itself might have been protecting or monitoring.

For IT administrators, shared Macs, developer workstations, and executive devices represent higher-priority targets. Security researchers’ machines also warrant immediate attention, since Defender telemetry on those endpoints could contain sensitive investigation data.

The Road to the Patch

Microsoft disclosed CVE-2026-50657 through its Security Response Center on July 14, 2026, as part of its regular monthly security release cycle. At the time of disclosure, the Zero Day Initiative noted no evidence of public exploitation or availability of a proof-of-concept. That doesn’t mean it’s safe to wait. The CVE identifier, affected version range, and weakness classification are now public, giving attackers a starting point for reverse-engineering the flaw.

Defender for Endpoint on macOS receives several types of updates: security intelligence (malware signatures), engine updates, and full application releases. CVE-2026-50657 is patched only by updating the application itself. Simply checking that your malware definitions are current does nothing to close this vulnerability. Administrators who rely solely on signature freshness reports could inadvertently leave devices exposed.

The fix first appeared in build 101.26042.0020, which Microsoft distributes via Microsoft AutoUpdate (MAU). Managed environments typically get these updates on a schedule, but sleeping laptops, update deferrals, or damaged MAU installations can cause gaps.

How to Protect Your Mac Today

For individual Mac users, the immediate step is to verify your Defender version and force an update if needed.

  1. Check your current version. Open Microsoft Defender for Endpoint on your Mac, go to the app menu, and select “About Microsoft Defender.” The build number should be 101.26042.0020 or higher.
  2. If you’re behind, trigger Microsoft AutoUpdate. From the Defender menu, choose “Check for Updates.” If that doesn’t pull the new build, you can use the command-line utility msupdate:
    cd /Library/Application\ Support/Microsoft/MAU2.0/Microsoft\ AutoUpdate.app/Contents/MacOS ./msupdate --install --apps wdav00
    The wdav00 identifier specifically targets Defender for Endpoint.
  3. Verify the update took. Repeat the version check after installation.

For IT administrators, the workflow is broader:

  • Inventory your fleet. Use Intune, Jamf Pro, or your management platform to report the installed application version of Microsoft Defender for Endpoint, not just the engine or signature version.
  • Identify stragglers. Any device running a build earlier than 101.26042.0020 should be flagged as vulnerable.
  • Confirm Microsoft AutoUpdate is healthy. Ensure MAU is enabled and able to install updates. Some organizations disable auto-update and use their management tools to push packages — in that case, deploy the latest Defender for Endpoint package manually.
  • Force remediation where necessary. Use the msupdate command via remote shell or management script on out-of-date devices.
  • Follow up with a compliance check. After the deployment window closes, re-query your fleet and investigate any devices still on old builds. For high-value Macs that were exposed, review local account access and recent activity for anomalies.

Microsoft has not released indicators of compromise for this specific vulnerability, so there’s no simple log query to confirm you weren’t hit. Standard endpoint monitoring — unusual process execution, unexpected data access patterns — remains your best detection layer.

What Comes Next

No public exploit code exists for CVE-2026-50657 as of mid-July 2026, but that could change. Microsoft typically waits several weeks before sharing deep technical details, and third-party researchers or attackers may fill the gap. If you haven’t updated yet, now is the time.

This incident also highlights a broader truth: security software itself can become a liability. Defender for Endpoint holds extensive permissions and handles sensitive data — when it has a flaw, the consequences can ripple through your entire security posture. Microsoft’s July Mac patch bundle includes two other Defender vulnerabilities (CVE-2026-50658 and CVE-2026-56178) that enable privilege escalation, so a full update sweep is wise.

For now, the single most effective action is to get every managed Mac onto build 101.26042.0020 or later and confirm it sticks.