Description
Twitch Studio version 0.114.8 and prior contain a privilege escalation vulnerability in its privileged helper tool that allows local attackers to execute arbitrary code as root by exploiting an unprotected XPC service. Attackers can invoke the installFromPath:toPath:withReply: method to overwrite system files and privileged binaries, achieving full system compromise. Twitch Studio was discontinued in May 2024.
Published: 2026-04-06
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation to Root
Action: Immediate Mitigation
AI Analysis

Impact

The vulnerability resides in Twitch Studio’s privileged helper, an XPC service that lacks proper authorization checks. By calling the installFromPath:toPath:withReply: method, a local attacker can overwrite arbitrary files, including system binaries, thereby achieving execution of arbitrary code with root privileges. The weakness is classified as Missing Authorization (CWE‑862).

Affected Systems

Twitch Studio version 0.114.8 and earlier are affected. The application was discontinued in May 2024, but the vulnerability remains in any existing installations of these versions. Users should verify whether the software is present on their systems.

Risk and Exploitability

The CVSS score of 8.5 signals a high severity potential. The EPSS score is below 1 %, indicating low likelihood of large‑scale exploitation. Based on the description, it is inferred that local attackers who can run applications on the affected system can invoke the unprotected XPC method and thus obtain root privileges. The vulnerability is not found in the CISA KEV catalog, meaning it has not yet been widely reported in the wild. Because no patch is currently available, users must rely on removal or other defensive controls.

Generated by OpenCVE AI on April 14, 2026 at 03:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Immediately uninstall Twitch Studio if it remains installed.
  • If uninstalling is not feasible, remove the privileged helper XPC service and any associated binaries to prevent the vulnerability from being exercised.
  • Verify critical system files for tampering to ensure no critical binaries were overwritten.
  • Migrate to an actively supported streaming solution, such as OBS Studio or Streamlabs.
  • Apply general system hardening: enable System Integrity Protection, restrict local account privileges, and monitor for unauthorized file changes.

Generated by OpenCVE AI on April 14, 2026 at 03:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:twitch:twitch_studio:*:*:*:*:*:*:*:*

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Twitch
Twitch twitch Studio
Vendors & Products Twitch
Twitch twitch Studio

Mon, 06 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description Twitch Studio version 0.114.8 and prior contain a privilege escalation vulnerability in its privileged helper tool that allows local attackers to execute arbitrary code as root by exploiting an unprotected XPC service. Attackers can invoke the installFromPath:toPath:withReply: method to overwrite system files and privileged binaries, achieving full system compromise. Twitch Studio was discontinued in May 2024.
Title Twitch Studio LauncherHelper XPC Missing Authorization to Root File Write
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Twitch Twitch Studio
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-06T16:52:06.496Z

Reserved: 2026-03-30T17:25:00.861Z

Link: CVE-2024-14032

cve-icon Vulnrichment

Updated: 2026-04-06T16:52:00.171Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T16:16:26.470

Modified: 2026-04-14T02:01:12.537

Link: CVE-2024-14032

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:41:15Z

Weaknesses