Description
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.1. An app may be able to access Contacts without user consent.
Published: 2026-04-02
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Contact Access
Action: Apply Update
AI Analysis

Impact

A flaw in the macOS operating system allows applications to read the user's contacts without seeking explicit user consent, representing an improper authorization control identified as CWE-284. The unauthorized disclosure of personal data—such as names, emails, phone numbers, and addresses—can facilitate privacy violations, phishing, and identity‑theft attempts.

Affected Systems

Apple macOS Sequoia versions prior to 15.1 are affected; the issue is resolved in macOS Sequoia 15.1 and later releases. Devices running any build of Sequoia 15.0 or earlier are susceptible.

Risk and Exploitability

The CVSS score of 7.1 signifies a high severity impact, while the EPSS score of less than 1% indicates a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation has been reported. Based on the description, the exploitation vector is inferred to be local: any application installed on the system that can be executed by the user may gain contact data without permission.

Generated by OpenCVE AI on April 3, 2026 at 21:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update macOS to version 15.1 or later
  • Revoke contact permissions for apps that do not require them
  • Avoid installing untrusted applications and regularly review app permissions

Generated by OpenCVE AI on April 3, 2026 at 21:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://support.apple.com/en-us/121564 cve-icon cve-icon
History

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Title macOS Sequoia Application Access to Contacts Without User Consent

Fri, 03 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title macOS Sequoia Application Access to Contacts Without User Consent
First Time appeared Apple
Apple macos
Vendors & Products Apple
Apple macos

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.1. An app may be able to access Contacts without user consent.
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Apple Macos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T19:52:40.158Z

Reserved: 2024-07-10T17:11:04.711Z

Link: CVE-2024-40858

cve-icon Vulnrichment

Updated: 2026-04-02T19:51:21.996Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T19:17:59.077

Modified: 2026-04-03T17:55:10.113

Link: CVE-2024-40858

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:55:37Z

Weaknesses