Description
A permissions issue was addressed with additional restrictions. This issue is fixed in Xcode 16.3. An app may be able to bypass Privacy preferences.
Published: 2026-01-16
Score: 3.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch Xcode
AI Analysis

Impact

This vulnerability arises from an improperly enforced access control within Xcode, which may allow an application to override standard privacy preference restrictions. Because the permission enforcement is weakened, a malicious or poorly coded application could potentially access or modify user privacy settings that should normally be safeguarded. The weakness is mitigated in Xcode 16.3, where additional restrictions have been implemented.

Affected Systems

The flaw affects all installations of Xcode prior to version 16.3. Developers using older releases, or building applications on those versions, are exposed to the risk of creating binaries that can circumvent privacy controls on macOS or iOS devices. Any developer environment or team that has not yet upgraded may produce software that unintentionally or intentionally bypasses user privacy preferences.

Risk and Exploitability

The CVSS score of 3.3 denotes low severity, and the EPSS score indicates a probability of exploitation below 1%, suggesting limited demand or availability of exploit code. Nonetheless, the issue is included in Apple’s advisory and is not listed in the CISA KEV catalog, pointing to moderate risk. The attack would likely be carried out by a developer or an application distributed by a malicious party, and would require the affected code to be executed on a system where the privacy settings are accessible. The best defense is to reach the patched release of Xcode, eliminating the software flaw.

Generated by OpenCVE AI on April 27, 2026 at 21:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Xcode to version 16.3 or later, where the permission enforcement has been strengthened.
  • Rebuild all existing projects using the updated Xcode to ensure new binaries inherit the corrected access controls.
  • Review and test application privacy permission handling to confirm that sensitive privacy settings are protected after rebuilding.

Generated by OpenCVE AI on April 27, 2026 at 21:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://support.apple.com/en-us/122380 cve-icon cve-icon
History

Mon, 27 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Title Xcode Permissions Issue Allowing Apps to Bypass Privacy Preferences

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apple:xcode:*:*:*:*:*:*:*:*

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple xcode
Vendors & Products Apple
Apple xcode

Fri, 16 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
Description A permissions issue was addressed with additional restrictions. This issue is fixed in Xcode 16.3. An app may be able to bypass Privacy preferences.
References

Subscriptions

Apple Xcode
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:24:28.343Z

Reserved: 2025-03-27T16:13:58.311Z

Link: CVE-2025-31186

cve-icon Vulnrichment

Updated: 2026-01-16T18:28:08.345Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-16T18:16:07.260

Modified: 2026-01-27T20:19:59.627

Link: CVE-2025-31186

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T21:45:14Z

Weaknesses