Skip to main content

Slate Digital Connect CVE-2026-24066

| EUVDEUVD-2026-36002 HIGH
Improper Following of a Certificate's Chain of Trust (CWE-296)
2026-06-10 551230f0-3615-47bd-b7cc-93e92e730bbf GHSA-7rrm-228m-fjwh
8.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
CVE Published
Jun 22, 2026 - 06:03 cve.org
HIGH 8.4
Analysis Generated
Jun 10, 2026 - 15:24 vuln.today
CVSS changed
Jun 10, 2026 - 15:22 NVD
8.4 (HIGH)
CVE Published
Jun 10, 2026 - 12:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

Slate Digital Connect 1.37.0 for macOS installs a privileged helper tool, com.slatedigital.connect.privileged.helper.tool, which exposes the XPC service com.slatedigital.connect.privileged.helper.tool2. The helper validates connecting XPC clients by checking only the subject.OU value of the client's signing certificate and does not verify that the certificate chains to a trusted code-signing authority. A local attacker can sign a malicious client with a self-signed certificate containing the expected organizational unit value and connect to the privileged XPC service. This allows unauthorized access to privileged helper functionality and may lead to local privilege escalation.

AnalysisAI

Local privilege escalation in Slate Digital Connect 1.37.0 for macOS allows unprivileged users to execute commands as root by connecting to the privileged XPC helper service with a self-signed certificate whose subject OU matches the expected value. The flaw stems from improper certificate validation (CWE-296) in the helper's client authorization logic, which fails to verify the certificate chains to a trusted code-signing authority. No public exploit is identified in CISA KEV at time of analysis, and EPSS reflects very low (0.01%) near-term exploitation probability, but a detailed vendor-lab advisory is publicly available.

Technical ContextAI

Slate Digital Connect is an audio plugin authentication/licensing client for macOS used by the Slate Digital plugin ecosystem. The product installs a privileged helper tool (com.slatedigital.connect.privileged.helper.tool) under macOS's SMJobBless / privileged helper model, which exposes the XPC service com.slatedigital.connect.privileged.helper.tool2 to perform actions requiring root. macOS best practice for XPC client authorization requires verifying the connecting peer's code signature using SecCodeCheckValidity / SecRequirement-based requirements (anchor apple generic, certificate leaf TeamID, designated requirement) so that only binaries signed by the expected developer can communicate with the helper. This vulnerability is a classic CWE-296 (Improper Following of a Certificate's Chain of Trust) - the helper inspects only the subject.OU attribute of the client certificate without anchoring the chain to Apple's code-signing CA, so any self-signed certificate carrying the right OU string is accepted as legitimate.

RemediationAI

No vendor-released patch version is identified in the provided data at time of analysis, so administrators should monitor Slate Digital's official channels and the SEC Consult advisory at https://sec-consult.com/vulnerability-lab/advisory/local-privilege-escalation-in-slate-digital-connect/ for a fixed release superseding 1.37.0 and upgrade as soon as one ships. As compensating controls on macOS endpoints running version 1.37.0, uninstall Slate Digital Connect on systems where it is not actively required (this disables Slate Digital plugin authorization until reinstalled), or remove the privileged helper by unloading and deleting /Library/PrivilegedHelperTools/com.slatedigital.connect.privileged.helper.tool and its associated LaunchDaemon plist (this breaks any Connect functionality that depends on root privileges such as license/driver installation). Where the helper must remain installed, restrict the workstation to trusted interactive users only and tighten endpoint controls - for example MDM-enforced Gatekeeper, EDR rules blocking unsigned or non-Slate binaries from initiating XPC connections to com.slatedigital.connect.privileged.helper.tool2, and monitoring for new launchd connections to that mach service - accepting that these reduce but do not eliminate the local escalation path.

Share

CVE-2026-24066 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy