Cyber Resilience

CVE-2026-26151

HighUpdated

Published: 14 April 2026

Published
14 April 2026
Modified
26 May 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
EPSS Score 0.0083 52.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-26151 is a high-severity Insufficient UI Warning of Dangerous Operations (CWE-357) vulnerability in Microsoft Windows 10 21H2. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique GUI Input Capture (T1056.002); ranked in the top 47.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-17 (Remote Access).

Deeper analysis

CVE-2026-26151 is a vulnerability in Windows Remote Desktop stemming from insufficient UI warnings for dangerous operations, which allows an unauthorized attacker to perform spoofing over a network. Published on 2026-04-14, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N) and maps to CWE-357.

The attack requires no privileges and can be launched over the network with low complexity, though it demands user interaction. Successful exploitation enables high-impact confidentiality violations alongside low-impact integrity alterations, such as spoofing to trick users into disclosing sensitive information.

For mitigation guidance and patch details, refer to the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26151.

EU & UK References

Vulnerability details

Insufficient ui warning of dangerous operations in Windows Remote Desktop allows an unauthorized attacker to perform spoofing over a network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1056.002 GUI Input Capture Collection
Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt.
T1684.001 Impersonation Stealth
Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf.
Why these techniques?

Vulnerability enables UI-based spoofing in RDP to trick users into disclosing sensitive data via insufficient warnings (maps to GUI Input Capture and Impersonation).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25187Same product: Microsoft Windows 10 1607
CVE-2026-26160Same product: Microsoft Windows 10 1607
CVE-2026-32202Same product: Microsoft Windows 10 1607
CVE-2026-25177Same product: Microsoft Windows 10 1607
CVE-2026-26159Same product: Microsoft Windows 10 1607
CVE-2026-34351Same product: Microsoft Windows 10 1607
CVE-2026-23669Same product: Microsoft Windows 10 1607
CVE-2026-27914Same product: Microsoft Windows 10 1607
CVE-2026-27909Same product: Microsoft Windows 10 1607
CVE-2026-23672Same product: Microsoft Windows 10 1607

Affected Assets

microsoft
windows 10 1607
≤ 10.0.14393.9060 · ≤ 10.0.14393.9060
microsoft
windows 10 1809
≤ 10.0.17763.8644 · ≤ 10.0.17763.8644
microsoft
windows 10 21h2
≤ 10.0.19044.7184 · ≤ 10.0.19044.7184 · ≤ 10.0.19044.7184
microsoft
windows 10 22h2
≤ 10.0.19045.7184 · ≤ 10.0.19045.7184 · ≤ 10.0.19045.7184
microsoft
windows 11 23h2
≤ 10.0.22631.6936 · ≤ 10.0.22631.6936
microsoft
windows 11 24h2
≤ 10.0.26100.8246 · ≤ 10.0.26100.8246
microsoft
windows 11 25h2
≤ 10.0.26200.8246 · ≤ 10.0.26200.8246
microsoft
windows 11 26h1
≤ 10.0.28000.1836 · ≤ 10.0.28000.1836
microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
≤ 10.0.14393.9060
+4 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the insufficient UI warnings vulnerability in Windows Remote Desktop through timely application of vendor patches from the Microsoft Security Response Center advisory.

AC-17 Remote Access partial match
prevent

Manages and authorizes remote access to limit network-based spoofing attacks exploiting Remote Desktop's UI deficiencies.

prevent

Protects the authenticity of Remote Desktop communications sessions to mitigate unauthorized spoofing that relies on inadequate UI warnings for dangerous operations.

References