Skip to main content

macOS Tahoe CVE-2026-28930

| EUVDEUVD-2026-29247 HIGH
Improper Access Control (CWE-284)
2026-05-11 apple GHSA-7gpw-768q-4j6r
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 13, 2026 - 15:53 vuln.today
CVSS changed
May 13, 2026 - 15:52 NVD
7.5 (HIGH)
Patch available
May 11, 2026 - 22:03 EUVD
CVE Published
May 11, 2026 - 20:08 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:08 nvd
HIGH 7.5

DescriptionCVE.org

A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.5. An app may be able to access protected user data.

AnalysisAI

Insufficient permission enforcement in macOS Tahoe prior to 26.5 allows applications to bypass access controls and read protected user data without proper authorization. Apple addressed the vulnerability through hardened permission checks in version 26.5. EPSS probability indicates minimal observed exploitation activity (0.01%, 3rd percentile), and no public exploit code or CISA KEV listing exists at time of analysis, suggesting exploitation requires application-specific development effort rather than readily available tooling.

Technical ContextAI

This vulnerability stems from inadequate permission enforcement (CWE-284: Improper Access Control) in macOS Tahoe's application sandbox or entitlement framework. The macOS permission model relies on TCC (Transparency, Consent, and Control) to mediate application access to protected resources like contacts, photos, location data, and files. When permission validation logic contains flaws, malicious or compromised applications can bypass these controls and access user data without explicit user consent or proper entitlements. The CPE identifier (cpe:2.3:a:apple:macos) confirms this affects the macOS operating system platform itself rather than a third-party application, indicating a core OS security mechanism failure that could be exploited by any installed application.

RemediationAI

Apply macOS Tahoe 26.5 released by Apple, which implements additional permission validation restrictions to prevent unauthorized data access. Download the update through System Settings > General > Software Update or via Apple's support portal at https://support.apple.com/en-us/127115. For environments unable to patch immediately, implement temporary compensating controls: restrict installation of new applications through Gatekeeper policies requiring notarized software only, audit existing application entitlements using 'codesign -d --entitlements' to identify apps with broad data access permissions, and deploy MDM policies limiting TCC database modifications. Note these workarounds only reduce attack surface and cannot fully prevent exploitation by already-installed malicious applications. Full remediation requires OS upgrade to 26.5.

Share

CVE-2026-28930 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy