Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
5DescriptionCVE.org
A logic issue was addressed with improved file handling. This issue is fixed in macOS Tahoe 26.5. A maliciously crafted ZIP archive may bypass Gatekeeper checks.
AnalysisAI
Gatekeeper security checks in macOS Tahoe can be bypassed using maliciously crafted ZIP archives due to a logic flaw in file handling. An attacker can create a weaponized ZIP file that, when extracted or opened by a user, circumvents Gatekeeper validation, potentially allowing execution of untrusted code. The vulnerability requires user interaction (opening or extracting the malicious archive) and is limited to local attack surface. Vendor-released patch: macOS Tahoe 26.5.
Technical ContextAI
Gatekeeper is macOS's code-signing and origin-verification subsystem that validates executable binaries and application bundles before execution, enforcing security policies on software from unidentified or untrusted developers. The vulnerability resides in the file handling logic that processes ZIP archives during Gatekeeper validation (CWE-358: Improperly Restricted Operations on Rendered UI Layers in a Web Browser). A maliciously crafted ZIP archive exploits this logic flaw to bypass the validation checks, allowing files within the archive to be treated as trusted or to skip origin verification altogether. The CPE indicates all macOS versions prior to Tahoe 26.5 are affected.
RemediationAI
Upgrade macOS to Tahoe 26.5 or later, which contains the improved file handling logic that addresses the ZIP archive validation flaw. Users on unpatched systems should exercise caution when opening ZIP archives from untrusted sources, particularly those received via email or messaging platforms. As a temporary mitigation on unpatched systems, disable or restrict Gatekeeper's assessment bypass features via System Preferences > Security & Privacy, though this may limit legitimate software installation workflows. Administrators can enforce policy requiring Gatekeeper enforcement via MDM profiles. Patch availability and deployment details are provided in Apple's security advisory at https://support.apple.com/en-us/127115.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29236
GHSA-xwxw-c548-rmpj