Skip to main content

Absolute Secure Access CVE-2026-33448

| EUVDEUVD-2026-26416 MEDIUM
Information Exposure (CWE-200)
2026-04-30 Absolute
4.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Patch released
May 01, 2026 - 15:28 nvd
Patch available
Analysis Generated
Apr 30, 2026 - 22:15 vuln.today
Patch available
Apr 30, 2026 - 21:02 EUVD
CVSS changed
Apr 30, 2026 - 20:22 NVD
4.8 (MEDIUM)
EUVD ID Assigned
Apr 30, 2026 - 20:00 euvd
EUVD-2026-26416
Analysis Generated
Apr 30, 2026 - 20:00 vuln.today
CVE Published
Apr 30, 2026 - 19:47 nvd
MEDIUM 4.8

DescriptionCVE.org

CVE-2026-33448 is a format string vulnerability in the logging subsystem of Secure Access client for MacOS prior to 14.50. Attackers with control of a modified server can force the client to dump the contents of a small portion of memory to the log files potentially revealing secrets.

AnalysisAI

Format string vulnerability in Secure Access client for macOS prior to version 14.50 allows authenticated local attackers to leak sensitive data from process memory via crafted logging input, potentially exposing secrets through log files. The vulnerability requires local access and valid user privileges but no user interaction. Patch is available from the vendor.

Technical ContextAI

The vulnerability resides in the logging subsystem of Absolute's Secure Access macOS client. Format string flaws occur when user-controlled or attacker-influenced input is passed directly to format string functions (such as printf-family calls in C/C++) without proper sanitization. In this case, an attacker with control of a modified server can inject format string specifiers into logging operations, causing the application to read and output arbitrary memory locations to log files. The affected product line spans Secure Access versions 0 through 14.49 on macOS, as identified by CPE cpe:2.3:a:absolute_software:secure_access:*:*:*:*:*:*:*:*. While CWE data was not provided in the submission, format string vulnerabilities typically fall under CWE-134 (Use of Externally-Controlled Format String).

RemediationAI

Upgrade Absolute Secure Access to version 14.50 or later. Vendor has released a patch addressing the format string flaw in the logging subsystem. Administrators should deploy the patched version across all macOS endpoints running Secure Access. If immediate upgrade is not feasible, restrict local user access to systems running vulnerable Secure Access versions, particularly in environments where untrusted local users may gain shell access. Additionally, monitor log files from affected Secure Access installations for suspicious format string patterns (e.g., repeated %x or %n specifiers) that may indicate exploitation attempts. Network segmentation to limit which servers Secure Access clients can communicate with reduces the attack surface, as the attacker must first control a modified server the client trusts. Refer to the vendor advisory at https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33448 for specific patching timelines and supported versions.

Share

CVE-2026-33448 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy