Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.5. An app may be able to access protected user data.
AnalysisAI
macOS Tahoe allows applications to access protected user data due to insufficient permission enforcement on system APIs. The vulnerability affects all macOS versions prior to 26.5 and is tagged as an authentication bypass, indicating apps can circumvent permission prompts or system restrictions to read sensitive data without user consent. While not yet actively exploited (EPSS 0.01%, no CISA KEV listing), the CVSS vector (AV:N/AC:L/PR:N/UI:N) appears inconsistent with the local application context described, suggesting potential network-accessible component or misclassified attack vector requiring vendor clarification.
Technical ContextAI
This is a permissions enforcement vulnerability (CWE-284: Improper Access Control) in macOS Tahoe's application sandboxing and permission framework. According to CPE data, the vulnerability exists in macOS versions below 26.5. The issue stems from insufficient validation when applications request access to protected user data stores such as contacts, photos, health data, or file system locations governed by Transparency, Consent, and Control (TCC) mechanisms. The authentication bypass tag suggests applications can exploit this flaw to read protected resources without proper TCC authorization checks, potentially bypassing both user consent dialogs and system-level restrictions that isolate sensitive data from untrusted processes.
RemediationAI
Update to macOS Tahoe 26.5 or later, which Apple confirms addresses the permissions issue with additional restrictions per their security advisory at https://support.apple.com/en-us/127115. Organizations should prioritize deployment to systems running sensitive applications or storing protected user data. Until patching is complete, implement compensating controls: restrict installation of third-party applications through MDM policies allowing only signed apps from identified developers, enable Gatekeeper with strictest settings, audit existing installed applications for unexpected permission grants via System Settings > Privacy & Security, and monitor TCC database logs for anomalous permission usage patterns. Note that restricting app installation may impact user productivity and require exception processes for legitimate business applications.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29298
GHSA-x88f-jpfv-xprq