Skip to main content

macOS CVE-2026-32810

MEDIUM
Incorrect Permission Assignment for Critical Resource (CWE-732)
2026-03-20 GitHub_M
5.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 20, 2026 - 23:01 vuln.today
CVE Published
Mar 20, 2026 - 22:40 nvd
MEDIUM 5.5

DescriptionGitHub Advisory

Halloy is an IRC application written in Rust. In versions on \*nix and macOS prior to commit f180e41061db393acf65bc99f5c5e7397586d9cb, halloy creates its config directory and files using default umask permissions, which typically results in 0644 on files and 0755 on directories. This allows any local user on the system to read plaintext credentials stored in config.toml or referenced password_file paths. Commit f180e41061db393acf65bc99f5c5e7397586d9cb patches the issue.

AnalysisAI

Halloy, an IRC application written in Rust, fails to properly restrict file permissions on its configuration directory and files on *nix and macOS systems prior to commit f180e41061db393acf65bc99f5c5e7397586d9cb, resulting in world-readable access to plaintext credentials. Any local user on an affected system can read sensitive authentication data stored in config.toml or referenced password files, leading to credential compromise. While no CVSS score or EPSS data is currently available, the vulnerability represents a direct information disclosure risk with low exploitation complexity.

Technical ContextAI

Halloy is a Rust-based IRC client (CPE: cpe:2.3:a:squidowl:halloy:*:*:*:*:*:*:*:*) that stores configuration data including plaintext credentials in user-accessible directories. The vulnerability stems from CWE-732 (Incorrect Permission Assignment for Critical Resource), where the application relies on default system umask settings rather than explicitly enforcing restrictive file permissions. On typical Unix-like systems, default umask results in file permissions of 0644 (readable by all users) and directory permissions of 0755 (traversable and readable by all users). This is a common misconfiguration in multi-user environments where local privilege separation is essential, and the Rust standard library and file I/O operations do not automatically enforce tighter permissions without explicit developer intervention.

RemediationAI

Update Halloy to a version released after commit f180e41061db393acf65bc99f5c5e7397586d9cb, which patches the permission assignment issue by explicitly setting restrictive file and directory permissions during creation. Refer to the vendor security advisory at https://github.com/squidowl/halloy/security/advisories/GHSA-x5j2-fr4h-9p7g and https://github.com/squidowl/halloy/commit/f180e41061db393acf65bc99f5c5e7397586d9cb for exact patched versions and deployment guidance. As an interim workaround on affected systems, manually restrict permissions on the Halloy config directory (typically ~/.config/halloy or similar) to 0700 (owner-only access) and all files within to 0600 using chmod commands; however, this must be applied manually after each configuration change and is not a permanent fix. The preferred and definitive remedy is to upgrade to the patched version.

More in macOS

View all
CVE-2025-34089 CRITICAL POC
9.3 Jul 03

An unauthenticated remote code execution vulnerability exists in Remote for Mac, a macOS remote control utility develope

CVE-2023-43000 HIGH POC
8.8 Nov 05

A use-after-free issue was addressed with improved memory management. Rated high severity (CVSS 8.8), this vulnerability

CVE-2026-20700 HIGH POC
7.8 Feb 11

Apple's kernel across all platforms (iOS, macOS, watchOS, visionOS, tvOS) contains a memory corruption vulnerability (CV

CVE-2024-6387 HIGH POC
8.1 Jul 01

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to

CVE-2023-48795 MEDIUM POC
5.9 Dec 18

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot

CVE-2022-48618 HIGH
7.0 Jan 09

The issue was addressed with improved checks. Rated high severity (CVSS 7.0). Actively exploited in the wild (cisa kev)

CVE-2024-27822 HIGH POC
7.8 May 14

A logic issue was addressed with improved restrictions. Rated high severity (CVSS 7.8), this vulnerability is no authent

CVE-2023-22809 HIGH POC
7.8 Jan 18

In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environmen

CVE-2022-46689 HIGH POC
7.0 Dec 15

A race condition was addressed with additional validation. Rated high severity (CVSS 7.0), this vulnerability is no auth

CVE-2022-32845 CRITICAL POC
10.0 Sep 23

This issue was addressed with improved checks. Rated critical severity (CVSS 10.0), this vulnerability is remotely explo

CVE-2022-32221 CRITICAL POC
9.8 Dec 05

When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data t

CVE-2022-32207 CRITICAL POC
9.8 Jul 07

When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the

Vendor StatusVendor

SUSE

Severity: Medium

Share

CVE-2026-32810 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy