Description
A permissions issue was addressed with improved validation. This issue is fixed in iPadOS 17.7.6, macOS Sequoia 15.4, macOS Sequoia 15.7.2, macOS Sonoma 14.7.5, macOS Sonoma 14.8.2, macOS Tahoe 26.1, macOS Ventura 13.7.5. A shortcut may be able to access files that are normally inaccessible to the Shortcuts app.
Published: 2025-03-31
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized file access via Shortcuts app
Action: Patch Immediately
AI Analysis

Impact

A permissions issue allows a shortcut to read files that are normally inaccessible to the Shortcuts app. The flaw stems from insufficient validation of file access permissions, which is categorized as a Permission Management weakness (CWE-276). If exploited, an attacker could obtain sensitive data or code from protected locations, potentially compromising the confidentiality of user data. The advisory notes that the fix was applied in recent releases of iPadOS and macOS.

Affected Systems

Apple iPadOS 17.7.6 and later versions are affected, as well as macOS Sequoia 15.4, 15.7.2, Sonoma 14.7.5, 14.8.2, Tahoe 26.1, and Ventura 13.7.5. Devices running any older versions of these operating systems are vulnerable and should be upgraded.

Risk and Exploitability

The CVSS score of 9.8 indicates a high severity with the potential for complete data exposure. The EPSS score of less than 1% suggests that the exploitation rate is currently low, and the vulnerability is not listed in the CISA KEV catalog. The most likely attack vector is a malicious or corrupted shortcut that a user is asked to run. Once the shortcut is executed, the App’s permission model is bypassed, allowing the shortcut to access protected files.

Generated by OpenCVE AI on April 28, 2026 at 03:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update all affected devices to iPadOS 17.7.6 or later and to the latest macOS updates (Sequoia 15.4/15.7.2, Sonoma 14.7.5/14.8.2, Tahoe 26.1, or Ventura 13.7.5).
  • Remove any shortcuts that were added from untrusted sources or delete suspicious shortcuts from the Shortcuts app.
  • Configure Shortcuts settings to block execution of untrusted shortcuts and restrict shortcut creation to app‑approved sources.

Generated by OpenCVE AI on April 28, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8901 A permissions issue was addressed with improved validation. This issue is fixed in macOS Ventura 13.7.5, iPadOS 17.7.6, macOS Sequoia 15.4, macOS Sonoma 14.7.5. A shortcut may be able to access files that are normally inaccessible to the Shortcuts app.
History

Tue, 28 Apr 2026 03:45:00 +0000

Type Values Removed Values Added
Title Shortcuts App Permission Escalation Allowing Unauthorized File Access

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description A permissions issue was addressed with improved validation. This issue is fixed in macOS Ventura 13.7.5, iPadOS 17.7.6, macOS Sequoia 15.4, macOS Sonoma 14.7.5. A shortcut may be able to access files that are normally inaccessible to the Shortcuts app. A permissions issue was addressed with improved validation. This issue is fixed in iPadOS 17.7.6, macOS Sequoia 15.4, macOS Sequoia 15.7.2, macOS Sonoma 14.7.5, macOS Sonoma 14.8.2, macOS Tahoe 26.1, macOS Ventura 13.7.5. A shortcut may be able to access files that are normally inaccessible to the Shortcuts app.
References

Mon, 03 Nov 2025 22:30:00 +0000

Type Values Removed Values Added
References

Fri, 04 Apr 2025 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ipados
Apple macos
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
Vendors & Products Apple
Apple ipados
Apple macos

Wed, 02 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-276
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 31 Mar 2025 22:45:00 +0000

Type Values Removed Values Added
Description A permissions issue was addressed with improved validation. This issue is fixed in macOS Ventura 13.7.5, iPadOS 17.7.6, macOS Sequoia 15.4, macOS Sonoma 14.7.5. A shortcut may be able to access files that are normally inaccessible to the Shortcuts app.
References

Subscriptions

Apple Ipados Macos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:08:03.486Z

Reserved: 2025-03-22T00:04:43.722Z

Link: CVE-2025-30465

cve-icon Vulnrichment

Updated: 2025-04-02T14:30:58.223Z

cve-icon NVD

Status : Modified

Published: 2025-03-31T23:15:27.873

Modified: 2026-04-02T19:19:41.657

Link: CVE-2025-30465

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T03:30:19Z

Weaknesses