Skip to main content

macOS CVE-2026-28910

| EUVDEUVD-2026-29234 LOW
Improper Access Control (CWE-284)
2026-05-11 apple GHSA-gjq4-3jcx-r8xf
3.3
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.3 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 13, 2026 - 00:45 vuln.today
CVSS changed
May 12, 2026 - 22:22 NVD
3.3 (None) 3.3 (LOW)
Patch available
May 11, 2026 - 22:03 EUVD
CVE Published
May 11, 2026 - 20:08 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:08 nvd
LOW 3.3

DescriptionCVE.org

This issue was addressed with improved permissions checking. This issue is fixed in macOS Tahoe 26.4. A malicious app may be able to access arbitrary files.

AnalysisAI

Improper permissions checking in macOS before version 26.4 allows a malicious app with local user privileges to access arbitrary files without user interaction, potentially exposing sensitive data. The vulnerability has a low EPSS score (0.01%) and no confirmed active exploitation, making it a low-priority but real local privilege escalation risk for systems where untrusted applications may execute.

Technical ContextAI

This vulnerability stems from insufficient permissions validation in macOS file access controls (CWE-284: Improper Access Control). The root cause involves the operating system failing to properly enforce sandboxing or access control policies when a local application attempts to read files outside its permitted scope. The flaw affects the core macOS operating system (CPE: cpe:2.3:a:apple:macos) across versions prior to 26.4, indicating the issue exists in the kernel or system-level file handling mechanisms rather than isolated libraries. The attack vector is local and requires legitimate user-level privileges (PR:L), meaning the attacker must first have an account on the system or trick a user into executing malicious code.

RemediationAI

Update to macOS Tahoe 26.4 or later, available via Apple's security update mechanism at https://support.apple.com/en-us/126794. This vendor-released patch addresses the improved permissions checking deficiency and is the only confirmed remediation. Until patching is possible, implement compensating controls: restrict installation of third-party apps by disabling sideloading or using Mobile Device Management (MDM) policies to allowlist only trusted applications; enable System Integrity Protection (SIP) if not already enabled to add an additional kernel-level guard; audit file access logs on multi-user systems to detect unauthorized reads; and educate users not to grant Finder or app-level permissions to untrusted software. Note that none of these controls fully eliminate the vulnerability - they only reduce attack surface.

Share

CVE-2026-28910 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy