CVE-2026-45594: Windows AppID Information Disclosure – Medium-Severity Patch Guidance
CVE-2026-45594 is a medium-severity information disclosure vulnerability in Windows Application Identity (AppID) Subsystem. An attacker who already has local access to a Windows machine can exploit this flaw to read sensitive information that should not be accessible to them. The vulnerability requires the attacker to have user-level privileges and does not involve any user interaction. It affects Windows 10 and Windows 11 across multiple versions, as well as Windows Server 2016 through 2025.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-200
- Affected products
- 22 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Exposure of sensitive information to an unauthorized actor in Windows Application Identity (AppID) Subsystem allows an authorized attacker to disclose information locally.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This vulnerability stems from improper access controls in the Windows AppID Subsystem, falling under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS 3.1 vector (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) indicates local attack surface with low attack complexity, requiring low privileges, no user interaction, and resulting in high confidentiality impact while maintaining system integrity and availability. The flaw allows an authenticated local user to bypass intended information disclosure protections and access data that should be protected within the AppID subsystem.
Business impact
Information disclosure vulnerabilities in core Windows subsystems can expose sensitive data such as credentials, service account information, application configuration details, or other privileged data. For organizations relying on shared systems or multi-tenant environments, this creates a risk that a standard user account could extract information that should remain confidential to higher-privileged roles or specific applications. The business impact depends on what sensitive data is accessible through the AppID Subsystem in your deployment—potential exposure ranges from minor configuration leakage to credential compromise. Desktop environments, particularly those supporting contractors, service providers, or shared systems, face higher risk.
Affected systems
This vulnerability affects all currently supported Windows 10 releases (versions 1607, 1809, 21H2, and 22H2), Windows 11 releases (23H2, 24H2, 25H2, and 26H1), and Windows Server versions 2016, 2019, 2022, and 2025. The broad scope of affected versions means that nearly all Windows endpoints and servers in enterprise environments require remediation. Organizations should prioritize inventory and patching across client and server platforms without delay.
Exploitability
This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting no observed in-the-wild exploitation at the time of this writing. However, the low attack complexity and low privilege requirement mean that exploitation is straightforward once an attacker gains local system access. The threat model assumes an attacker has already obtained a user-level account or interactive logon session. For organizations in high-threat environments or those supporting untrusted users on shared systems, the risk of eventual exploitation should be regarded as real despite the current lack of public exploitation.
Remediation
Apply the official Microsoft security update for Windows through Windows Update, WSUS, or your endpoint management system. Verify against the latest Microsoft Security Update Guide that patches are available and installed across all affected Windows 10, Windows 11, and Windows Server versions in your environment. Additionally, apply principle of least privilege by limiting local logon privileges and enforcing credential controls. Restrict local administrative access and monitor for suspicious local account activity using Event Viewer and security event logs.
Patch guidance
Microsoft releases monthly security updates on Patch Tuesday. Consult the Microsoft Security Update Guide and relevant KB articles to confirm patch availability and version compatibility for your Windows releases. Test patches in a non-production environment first to ensure stability with your applications and AppID-dependent services. For Windows Server, plan patching during maintenance windows and monitor for any compatibility issues with running applications or services that depend on AppID functionality. Enable automatic updates where feasible, or schedule manual updates through your change management process. Verify successful patching by confirming the security update KB number has been installed on each system.
Detection guidance
Monitor Windows Event Viewer security logs for unauthorized access attempts to protected resources. Enable auditing on the AppID service and audit policy for data access through Group Policy or auditpol.exe. Watch for suspicious enumeration of services, configuration data, or credential stores by non-administrative accounts. Implement behavioral detection rules to flag unusual local account activity, particularly any attempts to access protected application identity data. Endpoint Detection & Response (EDR) tools should be configured to flag suspicious interprocess communication or file access patterns involving AppID-related processes. In shared or contractor environments, closely monitor user session logs and resource access events.
Why prioritize this
Although CVSS 5.5 (MEDIUM) suggests moderate priority, this vulnerability should be treated as high-priority for several reasons: (1) it affects an enormous install base spanning Windows 10, 11, and Server editions; (2) local privilege escalation and lateral movement often begin with information disclosure; (3) the AppID subsystem is core to Windows security architecture, making any flaw in it a concern; (4) the low privilege requirement means many insider or compromised account scenarios are relevant. Organizations should prioritize patching client and server systems accordingly, particularly those supporting sensitive workloads or untrusted users.
Risk score, explained
The CVSS score of 5.5 reflects a medium-severity vulnerability with high confidentiality impact but no integrity or availability risk. The score appropriately captures the local-only attack vector and the requirement for prior user access. However, given the breadth of affected systems and the role of the AppID subsystem in Windows security architecture, organizations should consider this a high-priority patch from an operational perspective, even though the raw CVSS score is moderate. Context matters: widespread, local information disclosure in core OS subsystems warrants faster patching cycles than the numeric score alone suggests.
Frequently asked questions
Does this vulnerability allow remote code execution or privilege escalation?
No. CVE-2026-45594 is strictly an information disclosure vulnerability. It allows an attacker who already has local user access to read sensitive information. It does not enable remote code execution, denial of service, or direct privilege escalation. However, information disclosed through this flaw could potentially be leveraged in a follow-up attack.
Do I need to patch if I restrict local logon access on my systems?
Restricting local logon access reduces risk, but is not a substitute for patching. Even in restricted environments, service accounts, support personnel, or administrative staff may have legitimate local access. The proper remediation is to apply the security update from Microsoft while maintaining principle of least privilege as a defense-in-depth measure.
Is this vulnerability being exploited in the wild?
As of the most recent information, CVE-2026-45594 is not listed in the CISA Known Exploited Vulnerabilities catalog. However, the lack of public reports does not mean exploitation will not occur. Given the straightforward nature of local exploitation and the sensitive nature of AppID data, organizations should treat this as a priority patch regardless of current threat intelligence.
What is the AppID Subsystem and why should I care?
The Application Identity Subsystem in Windows manages security attributes and identity information for applications and services. It is used by Windows Defender, User Account Control, and other security mechanisms to enforce access controls. A flaw in AppID could potentially expose information used to enforce application-level security policies or to identify trusted versus untrusted services.
This analysis is provided for informational purposes and reflects publicly available information as of the publication date. Vulnerability details, patch availability, and exploitation status may change. Organizations should verify patch availability through official Microsoft channels before implementing remediation. This explainer does not constitute legal or professional security advice. Consult with your security team, conduct risk assessments appropriate to your environment, and follow your organization's change management processes before deploying patches. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and assumes no liability for actions taken in reliance upon it. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11162MEDIUMChrome CSS Cross-Origin Data Leak Vulnerability
- CVE-2026-11168MEDIUMChrome Extension Memory Disclosure Vulnerability
- CVE-2026-11180MEDIUMChrome SVG Cross-Origin Data Leak – Patch & Mitigation Guide
- CVE-2026-11182MEDIUMChrome SVG Cross-Origin Data Leak Vulnerability
- CVE-2026-11209MEDIUMGoogle Chrome Password Memory Disclosure (CVSS 6.5)
- CVE-2026-11271MEDIUMChrome Password Feature Information Disclosure Vulnerability
- CVE-2026-42906MEDIUMWindows Shell Information Disclosure Vulnerability
- CVE-2026-42907MEDIUMWindows Shell Information Disclosure (CVSS 6.5)