Skip to main content

Apple CVE-2026-33092

| EUVDEUVD-2026-21372 HIGH
External Control of System or Configuration Setting (CWE-15)
2026-04-10 Acronis GHSA-xr7f-6r6v-cqmm
7.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 05:59 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
42902,42571
EUVD ID Assigned
Apr 10, 2026 - 13:45 euvd
EUVD-2026-21372
Analysis Generated
Apr 10, 2026 - 13:45 vuln.today
CVE Published
Apr 10, 2026 - 13:17 nvd
HIGH 7.8

DescriptionCVE.org

Local privilege escalation due to improper handling of environment variables. The following products are affected: Acronis True Image OEM (macOS) before build 42571, Acronis True Image (macOS) before build 42902.

AnalysisAI

Local privilege escalation in Acronis True Image for macOS enables authenticated low-privileged users to gain elevated system privileges through improper environment variable handling. Affects Acronis True Image OEM (macOS) versions prior to build 42571 and Acronis True Image (macOS) prior to build 42902. Attackers with existing local access can achieve complete system compromise (high confidentiality, integrity, and availability impact). No public exploit identified at time of analysis. Exploitation requires low attack complexity with no user interaction.

Technical ContextAI

Root cause stems from CWE-15 (External Control of System or Configuration Setting) where inadequate sanitization of environment variables allows authenticated local users to manipulate system configuration settings. CVSS vector PR:L indicates exploitation requires low-privilege local credentials. Attack chain leverages environment variable injection to escalate privileges without additional access barriers (AC:L), resulting in complete scope breach across confidentiality, integrity, and availability domains.

RemediationAI

Vendor-released patches: upgrade Acronis True Image OEM (macOS) to build 42571 or later, and Acronis True Image (macOS) to build 42902 or later. Obtain updates through Acronis official channels or enable automatic update mechanisms within the application. Full vendor advisory available at https://security-advisory.acronis.com/advisories/SEC-9407. Until patching is complete, restrict local user privileges on affected macOS systems, enforce principle of least privilege, audit environment variable configurations, and monitor for suspicious privilege escalation attempts. No effective workarounds exist; patching is the only complete mitigation. Prioritize systems with multiple local users or shared access environments.

Share

CVE-2026-33092 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy