CVE-2026-20839 is a vulnerability classified under CWE-284 (Improper Access Control) affecting the Windows Client-Side Caching (CSC) Service in Microsoft Windows 10 Version 1607 (build 10.0.14393.0). The CSC service is responsible for caching network files locally to improve performance and offline availability. The flaw arises because the service does not properly enforce access control policies, allowing an attacker who is already authorized on the system with limited privileges (PR:L) to access sensitive cached data that should be restricted. The attacker does not require user interaction (UI:N) and the scope of the vulnerability is unchanged (S:U), meaning the impact is confined to the same security scope. The vulnerability impacts confidentiality (C:H) but does not affect integrity or availability. The attack vector is local (AV:L), requiring the attacker to have local access to the machine. The vulnerability was published on January 13, 2026, with no known exploits in the wild and no official patches linked yet. The CVSS v3.1 base score is 5.5, indicating a medium severity level. This vulnerability could be leveraged to disclose sensitive information stored in the CSC cache, potentially exposing confidential data to unauthorized users with local access.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive information stored in the Windows Client-Side Caching service. Organizations running Windows 10 Version 1607, especially those with legacy systems or limited patching capabilities, are at risk of local attackers gaining access to cached network data that should be protected. This could lead to leakage of confidential business information, user credentials, or other sensitive files cached for offline use. While the vulnerability does not allow for privilege escalation, code execution, or denial of service, the confidentiality breach could facilitate further attacks or insider threats. The requirement for local access limits the attack surface, but in environments with shared workstations, remote desktop access, or insider threats, the risk is significant. The lack of known exploits reduces immediate risk, but the absence of patches means the vulnerability remains open for exploitation if attackers develop techniques to leverage it.

To mitigate this vulnerability, organizations should prioritize upgrading from Windows 10 Version 1607 to a more recent and supported Windows 10 or Windows 11 version where this issue is resolved. Until upgrades are possible, restrict local access to affected systems by enforcing strict user account controls and limiting physical and remote access to trusted personnel only. Implement robust endpoint monitoring to detect unusual access patterns to the CSC cache or related services. Disable or restrict the use of Client-Side Caching where feasible, especially on sensitive systems. Employ application whitelisting and least privilege principles to reduce the risk of authorized users exploiting this flaw. Regularly audit local user permissions and remove unnecessary privileges. Stay alert for official patches or security advisories from Microsoft and apply them promptly once available. Consider network segmentation to isolate legacy systems and reduce exposure.