Skip to main content

CVE-2026-24068

| EUVDEUVD-2026-16160 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-03-26 551230f0-3615-47bd-b7cc-93e92e730bbf
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 26, 2026 - 11:22 euvd
EUVD-2026-16160
Analysis Generated
Mar 26, 2026 - 11:22 vuln.today
CVE Published
Mar 26, 2026 - 11:16 nvd
HIGH 8.8

DescriptionCVE.org

The VSL privileged helper does utilize NSXPC for IPC. The implementation of the "shouldAcceptNewConnection" function, which is used by the NSXPC framework to validate if a client should be allowed to connect to the XPC listener, does not validate clients at all. This means that any process can connect to this service using the configured protocol. A malicious process is able to call all the functions defined in the corresponding HelperToolProtocol. No validation is performed in the functions "writeReceiptFile" and “runUninstaller” of the HelperToolProtocol. This allows an attacker to write files to any location with any data as well as execute any file with any arguments. Any process can call these functions because of the missing XPC client validation described before. The abuse of the missing endpoint validation leads to privilege escalation.

AnalysisAI

Vienna Assistant 1.2.542 on macOS allows local privilege escalation through an unauthenticated XPC service endpoint that accepts connections from any process. The vulnerable VSL privileged helper service exposes functions to write arbitrary files to any location and execute arbitrary binaries with any arguments, enabling a low-privileged local user to gain root access. A proof-of-concept exploit exists per SSVC assessment, with an EPSS score of 0.02% indicating low observed exploitation probability in the wild.

Technical ContextAI

This vulnerability exploits macOS's NSXPC inter-process communication framework, specifically the shouldAcceptNewConnection delegate method used to validate XPC client connections. CWE-306 (Missing Authentication for Critical Function) occurs because the VSL privileged helper tool's XPC listener does not implement any client validation logic, allowing arbitrary processes to bind to the service and invoke privileged operations. The HelperToolProtocol exposes writeReceiptFile and runUninstaller functions that execute with elevated privileges inherited from the helper tool without performing authorization checks on the calling process, violating Apple's secure XPC service design guidelines. Vienna Assistant 1.2.542 is confirmed affected per EUVD-2026-16160 reporting.

RemediationAI

Users should monitor the SEC Consult advisory at https://r.sec-consult.com/vsl for vendor patch releases addressing this XPC validation issue. Until a patched version is available, mitigate risk by restricting local user access to systems running Vienna Assistant 1.2.542, removing the application from multi-user or untrusted environments, and implementing endpoint detection rules monitoring for unauthorized XPC connections to the VSL helper service. Organizations should audit systems for Vienna Assistant installations and consider temporary removal if the software is not business-critical. The underlying fix requires implementing proper XPC client validation in shouldAcceptNewConnection using code signing or entitlement checks, and adding per-function authorization in writeReceiptFile and runUninstaller methods.

Share

CVE-2026-24068 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy