Description
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.1. An app may be able to access Contacts without user consent.
Published: 2026-04-02
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to user contact information
Action: Apply update
AI Analysis

Impact

An app may read a user's Contacts data without the user's consent due to a permissions defect. The vulnerability permits the discovery and export of private contact information, compromising user privacy and confidentiality. It is classified as a false privilege escalation (CWE-284).

Affected Systems

All macOS Sequoia releases prior to version 15.1 are affected. Apple has addressed the issue in macOS Sequoia 15.1. The problem does not apply to earlier macOS major versions that are not part of the Sequoia line.

Risk and Exploitability

The CVSS score of 7.1 indicates high risk, though the EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog. An attacker likely needs local access to install or run an application that can exploit the lapse in permission checks. Exploitation does not require elevated privilege or remote connectivity, but any application running under the victim’s account can access contacts without prompting the user, making it relatively easy to harvest sensitive data.

Generated by OpenCVE AI on April 2, 2026 at 21:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the macOS Sequoia 15.1 update or later to ensure the permissions restriction is applied
  • Verify that the system applies the new permissions controls in Settings → Privacy → Contacts
  • If the update cannot be applied immediately, restrict application permissions manually in Settings → Privacy → Contacts to prevent unauthorized access

Generated by OpenCVE AI on April 2, 2026 at 21:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://support.apple.com/en-us/121564 cve-icon cve-icon
History

Fri, 03 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title macOS Sequoia Application Access to Contacts Without User Consent
First Time appeared Apple
Apple macos
Vendors & Products Apple
Apple macos

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.1. An app may be able to access Contacts without user consent.
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Apple Macos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T19:52:40.158Z

Reserved: 2024-07-10T17:11:04.711Z

Link: CVE-2024-40858

cve-icon Vulnrichment

Updated: 2026-04-02T19:51:21.996Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T19:17:59.077

Modified: 2026-04-03T17:55:10.113

Link: CVE-2024-40858

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:16:53Z

Weaknesses