CVE-2026-49170
Windows StateRepository API Server file Elevation of Privilege Vulnerability
Description
Insufficient granularity of access control in Windows StateRepository API allows an authorized attacker to elevate privileges locally.
In plain language
AI Act nowThis is a Windows local privilege-escalation flaw that could let a low-privilege user gain administrator/system power; if your business machines are running these Windows versions and aren’t fully updated, you should act.
CVE-2026-49170 is a local Windows StateRepository API Server weakness (CWE-285/CWE-1220) where insufficient access-control granularity lets a low-privileged, locally authenticated user elevate to administrator/system.
What to do now
- Check whether your organization uses any of these: Windows 10, Windows 11, Windows Server 2019, Windows Server 2022, or Windows Server 2025.
- For each affected device, identify the installed OS build/patch level (Windows Update “View update history” and/or system version).
- Update Windows until it reaches the fixed version for your edition:
- Windows 10: 10.0.17763.9020 (or 10.0.19044.7548, or 10.0.19045.7548)
- Windows 11: 10.0.26100.8875 (or 10.0.26200.8875, or 10.0.28000.2269)
- Windows Server 2019: 10.0.17763.9020
- Windows Server 2022: 10.0.20348.5386
- Windows Server 2025: 10.0.26100.33158
- If you can’t patch immediately, restrict local logins on the machine to only necessary accounts (since exploitation requires low-level privileges locally), and treat any unapproved local accounts as a high priority to remove.
CVSS Vector Breakdown
AV:LAttack VectorAC:LAttack ComplexityPR:LPrivileges RequiredUI:NUser InteractionS:UScopeC:HConfidentialityI:HIntegrityA:HAvailabilityWeaknesses
Affected Products
Exploitability
References
- Microsoft and Adobe Patch Tuesday, July 2026 Security Update Reviewen-us·Qualys Security Blog·
- Microsoft Patch Tuesday for July 2026 — Snort rules and prominent vulnerabilitiesen·Cisco Talos·
- Microsoft Patch Tuesday July 2026 - The AI Acopolypse is Hereen·SANS Internet Storm Center·
- Microsoft July 2026 Patch Tuesday fixes massive 570 flaws, 3 zero-daysen-us·BleepingComputer·
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2026-49170 and every CVE in our database. Create a free account — no credit card required.
Create Free Account