Description
A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Sequoia 15.4. An app may be able to access sensitive user data.
Published: 2026-06-11
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A parsing issue in how macOS handled directory paths allowed an application to bypass proper path validation, potentially granting it access to files that should be restricted. The vulnerability’s primary consequence is a confidentiality breach, where an attacker could read sensitive user data through a malformed path. This weakness is a classic example of improper input validation leading to a directory traversal flaw.

Affected Systems

Apple macOS products are affected, specifically versions earlier than Sequoia 15.4. The fix is included in macOS Sequoia 15.4 and later releases. Users on older releases have not yet received the enhanced path validation and therefore remain vulnerable.

Risk and Exploitability

Exploitability information for this vulnerability is limited; the CVSS score is 5.5, the EPSS score is unavailable, and the issue is not listed in CISA’s KEV catalog. Because the weakness requires an application to be run to exploit the path parsing flaw, the likelihood of exploitation depends on the presence of malicious or compromised software on the victim’s system. Although the vulnerability does not provide code execution, exposure of user data is a significant privacy risk, especially on systems without timely patching. The absence of a publicly documented exploit suggests moderate risk, but the potential damage warrants prompt remediation.

Generated by OpenCVE AI on June 12, 2026 at 00:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install macOS Sequoia 15.4 or later to apply the patch that enforces correct path validation.
  • Enable Gatekeeper and restrict the installation of unsigned or unknown applications to reduce the chance that a malicious app can run.
  • Configure and enforce System Integrity Protection and the macOS File System Security Guidelines to limit directory traversal attempts and protect sensitive files.

Generated by OpenCVE AI on June 12, 2026 at 00:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://support.apple.com/en-us/122373 cve-icon cve-icon
History

Thu, 11 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Title Directory Traversal Allowing Sensitive User Data Access in macOS
Weaknesses CWE-20

Thu, 11 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Title Directory Traversal Allowing Sensitive User Data Access in macOS
Weaknesses CWE-20

Thu, 11 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Vendors & Products Apple
Apple macos

Thu, 11 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Sequoia 15.4. An app may be able to access sensitive user data.
References

Subscriptions

Apple Macos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-06-11T19:06:22.536Z

Reserved: 2025-01-17T00:00:45.017Z

Link: CVE-2025-24268

cve-icon Vulnrichment

Updated: 2026-06-11T19:06:15.029Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-11T19:16:27.150

Modified: 2026-06-11T20:51:53.840

Link: CVE-2025-24268

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T00:30:07Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')