CVE-2026-45594: Windows 10 Information Disclosure Flaw

CVE-2026-45594 Overview

CVE-2026-45594 is an information disclosure vulnerability in the Windows Application Identity (AppID) subsystem. The flaw allows an authorized local attacker to read sensitive data they should not have access to. The issue is tracked under CWE-200: Exposure of Sensitive Information to an Unauthorized Actor.

The vulnerability affects a broad range of Windows client and server editions, including Windows 10, Windows 11, and Windows Server 2016 through 2025. Microsoft published the advisory on June 9, 2026, and the issue has not been observed under active exploitation.

Critical Impact

A locally authenticated attacker can disclose confidential information processed by the Windows AppID subsystem without requiring user interaction.

Affected Products

• Microsoft Windows 10 (1607, 1809, 21H2, 22H2)
• Microsoft Windows 11 (23H2, 24H2, 25H2, 26H1)
• Microsoft Windows Server 2016, 2019, 2022, and 2025

Discovery Timeline

• 2026-06-09 - CVE-2026-45594 published to NVD
• 2026-06-11 - Last updated in NVD database

Technical Details for CVE-2026-45594

Vulnerability Analysis

The Windows Application Identity (AppID) service determines and verifies the identity of applications, supporting features such as AppLocker policy enforcement. CVE-2026-45594 stems from the subsystem returning or exposing data to callers that lack the privilege level required to view it.

An authorized user on the system can interact with the AppID subsystem and observe data that crosses a trust boundary. Because confidentiality impact is high while integrity and availability are unaffected, the issue is a pure information disclosure flaw rather than a path to code execution.

Exploitation requires existing local access with low privileges. The attack complexity is low and no user interaction is needed, but the attacker must already authenticate to the target host.

Root Cause

The root cause is improper handling of sensitive data within the AppID subsystem, classified as [CWE-200]. The component fails to apply adequate access controls or sanitization before returning information to a caller, allowing data intended for a higher trust context to leak to lower-privileged processes.

Attack Vector

The attack vector is local. An attacker first obtains valid credentials or compromises a low-privileged account on a vulnerable Windows host. The attacker then issues calls or queries to the AppID subsystem and parses the responses to extract sensitive information such as configuration data, tokens, or other artifacts that could support further privilege escalation or lateral movement.

No public proof-of-concept code, exploit module, or in-the-wild exploitation has been reported. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2026-45594

Indicators of Compromise

• Unexpected processes running under low-privileged user contexts that repeatedly query the AppID service (appidsvc) or open handles to \Device\AppID* objects.
• Anomalous calls into appidapi.dll or appid.sys from non-administrative processes.
• Spikes in AppLocker or AppID event log activity from accounts that do not typically perform software inventory or policy operations.

Detection Strategies

• Hunt for command-line tools, scripts, or custom binaries that enumerate AppID-related registry keys under HKLM\SYSTEM\CurrentControlSet\Services\AppID.
• Correlate local logon events (Event ID 4624 type 2/10) with subsequent access to AppID service endpoints from the same session.
• Baseline normal callers of the AppID subsystem in your environment and alert on deviations, particularly from interactive user sessions.

Monitoring Recommendations

• Forward Windows Security, System, and AppLocker channel logs to a centralized analytics platform for correlation across hosts.
• Track patch deployment status for the affected Windows versions and flag endpoints that remain unpatched after the maintenance window.
• Monitor for credential theft and lateral movement patterns that typically follow successful information disclosure on a host.

How to Mitigate CVE-2026-45594

Immediate Actions Required

• Apply the Microsoft security update referenced in the Microsoft CVE-2026-45594 Update Guide to all affected Windows client and server systems.
• Prioritize patching on multi-user systems, jump hosts, and terminal servers where multiple local accounts share the same machine.
• Audit local accounts and remove unnecessary interactive logon rights to reduce the population of users that can reach the vulnerable code path.

Patch Information

Microsoft has published an advisory and corresponding security update through the Microsoft Security Response Center. Refer to the Microsoft CVE-2026-45594 Update Guide for the specific KB articles applicable to each affected Windows build and architecture. Deploy the updates through Windows Update, WSUS, Microsoft Intune, or your standard patch management workflow.

Workarounds

• No vendor-supplied workaround replaces installing the security update; treat patching as the primary remediation.
• Restrict local logon and Remote Desktop access on sensitive hosts to trusted administrators only.
• Enforce least privilege by removing standard users from groups that grant interactive access to servers and high-value workstations.
• Use application control policies to limit which binaries unprivileged users can execute, reducing the chance of arbitrary tooling reaching the AppID subsystem.