CVE-2026-20939 is an information disclosure vulnerability classified under CWE-200 affecting Microsoft Windows 10 Version 1607 (build 10.0.14393.0). The vulnerability resides in Windows File Explorer, where an authorized attacker with local access and low privileges can disclose sensitive information without requiring user interaction. The vulnerability does not allow modification or disruption of system operations, focusing solely on confidentiality compromise. The CVSS 3.1 base score is 5.5 (medium), reflecting local attack vector (AV:L), low attack complexity (AC:L), and privileges required (PR:L), with no user interaction (UI:N). The scope is unchanged (S:U), and the impact is high on confidentiality (C:H), none on integrity (I:N) and availability (A:N). The flaw could allow attackers to gain access to sensitive files or data that should otherwise be protected, potentially facilitating further attacks or data leakage. No public exploits or patches are currently available, indicating the need for proactive mitigation. The vulnerability affects legacy Windows 10 systems, which may still be in use in environments with strict upgrade cycles or legacy application dependencies.

The primary impact of CVE-2026-20939 is unauthorized local disclosure of sensitive information, which can compromise confidentiality. Organizations running Windows 10 Version 1607 are at risk of attackers accessing confidential files or data through Windows File Explorer without elevated privileges or user interaction. This exposure could lead to leakage of intellectual property, personal data, or security credentials, increasing the risk of subsequent attacks such as privilege escalation or lateral movement. Although the vulnerability does not affect system integrity or availability, the confidentiality breach can have significant consequences for compliance, privacy, and operational security. The impact is particularly critical in environments with sensitive data, such as government, healthcare, finance, and critical infrastructure sectors. Since the affected version is an older Windows release, organizations still using it may face increased risk due to lack of vendor support and patches.

1. Upgrade affected systems to a supported and fully patched version of Windows 10 or later to eliminate the vulnerability. 2. Restrict local access to systems running Windows 10 Version 1607 by enforcing strict physical and logical access controls, including limiting user accounts with local login privileges. 3. Implement application whitelisting and endpoint detection to monitor and prevent unauthorized use of Windows File Explorer or suspicious file access patterns. 4. Employ data classification and encryption to reduce the impact of potential information disclosure. 5. Conduct regular audits of local user activities and file access logs to detect anomalous behavior indicative of exploitation attempts. 6. If upgrading is not immediately possible, isolate legacy systems from sensitive networks and restrict network access to minimize exposure. 7. Educate users about the risks of local privilege misuse and enforce strong password policies to reduce the likelihood of unauthorized local access.