🟡 Medium  |  Source: Microsoft Security Response Center


CVE-2026-49165 is an information disclosure vulnerability in the Microsoft Windows App Store, caused by the use of an uninitialised resource. A locally authenticated attacker could exploit this flaw to access sensitive information they should not be able to see. Whilst exploitation requires local access and does not allow remote code execution, unintended data exposure can still facilitate further attacks or privilege escalation.

Security Architect’s Take: Ensure Windows endpoints and any Azure-connected devices running the Windows App Store are patched promptly via your patch management tooling; additionally, review least-privilege controls and local user access policies to reduce the risk of a local attacker reaching this attack surface.

Original advisory: CVE-2026-49165 Microsoft Windows App Store Information Disclosure Vulnerability