Cyber Posture

CVE-2026-26151

High

Published: 14 April 2026

Published
14 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
EPSS Score 0.0009 25.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26151 is a high-severity Insufficient UI Warning of Dangerous Operations (CWE-357) vulnerability in Microsoft Windows 10 21H2. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique GUI Input Capture (T1056.002); ranked at the 25.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-17 (Remote Access).

Threat & Defense at a Glance

What attackers do: exploitation maps to GUI Input Capture (T1056.002) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the insufficient UI warnings vulnerability in Windows Remote Desktop through timely application of vendor patches from the Microsoft Security Response Center advisory.

AC-17 Remote Access partial match
prevent

Manages and authorizes remote access to limit network-based spoofing attacks exploiting Remote Desktop's UI deficiencies.

SC-23 Session Authenticity partial match
prevent

Protects the authenticity of Remote Desktop communications sessions to mitigate unauthorized spoofing that relies on inadequate UI warnings for dangerous operations.

MITRE ATT&CK Enterprise TechniquesAI

T1056.002 GUI Input Capture Collection
Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt.
attack.mitre.org →
T1656 Impersonation Stealth
Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf.
attack.mitre.org →
Why these techniques?

Vulnerability enables UI-based spoofing in RDP to trick users into disclosing sensitive data via insufficient warnings (maps to GUI Input Capture and Impersonation).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Insufficient ui warning of dangerous operations in Windows Remote Desktop allows an unauthorized attacker to perform spoofing over a network.

Deeper analysisAI

CVE-2026-26151 is a vulnerability in Windows Remote Desktop stemming from insufficient UI warnings for dangerous operations, which allows an unauthorized attacker to perform spoofing over a network. Published on 2026-04-14, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N) and maps to CWE-357.

The attack requires no privileges and can be launched over the network with low complexity, though it demands user interaction. Successful exploitation enables high-impact confidentiality violations alongside low-impact integrity alterations, such as spoofing to trick users into disclosing sensitive information.

For mitigation guidance and patch details, refer to the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26151.

Details

CWE(s)
CWE-357

Affected Products

microsoft
windows 10 1607
≤ 10.0.14393.9060 · ≤ 10.0.14393.9060
microsoft
windows 10 1809
≤ 10.0.17763.8644 · ≤ 10.0.17763.8644
microsoft
windows 10 21h2
≤ 10.0.19044.7184 · ≤ 10.0.19044.7184 · ≤ 10.0.19044.7184
microsoft
windows 10 22h2
≤ 10.0.19045.7184 · ≤ 10.0.19045.7184 · ≤ 10.0.19045.7184
microsoft
windows 11 23h2
≤ 10.0.22631.6936 · ≤ 10.0.22631.6936
microsoft
windows 11 24h2
≤ 10.0.26100.8246 · ≤ 10.0.26100.8246
microsoft
windows 11 25h2
≤ 10.0.26200.8246 · ≤ 10.0.26200.8246
microsoft
windows 11 26h1
≤ 10.0.28000.1836 · ≤ 10.0.28000.1836
microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
≤ 10.0.14393.9060
+4 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2026-27916Same product: Microsoft Windows 10 1607
CVE-2026-32077Same product: Microsoft Windows 10 1607
CVE-2026-26168Same product: Microsoft Windows 10 1607
CVE-2026-24294Same product: Microsoft Windows 10 1607
CVE-2026-27914Same product: Microsoft Windows 10 1607
CVE-2026-32183Same product: Microsoft Windows 10 1607
CVE-2026-27909Same product: Microsoft Windows 10 1607
CVE-2026-32202Same product: Microsoft Windows 10 1607
CVE-2026-27915Same product: Microsoft Windows 10 1607
CVE-2026-27923Same product: Microsoft Windows 10 1607

References