Description
The issue was addressed with improved checks. This issue is fixed in Xcode 26. An app may be able to read and write files outside of its sandbox.
Published: 2025-09-15
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized file system access
Action: Patch
AI Analysis

Impact

The vulnerability is an access control flaw that allows a compromised application built with Xcode to read and write files outside of its intended sandbox boundary. This can lead to the compromise of confidential system files, tampering with application data, and potentially local privilege escalation if the attacker can manipulate files crucial to system or other app integrity. The flaw is rooted in inadequate sandbox validation, consistent with the CWE-284 classification.

Affected Systems

The affected product is Apple Xcode. Versions prior to Xcode 26 are susceptible because the issue was addressed and fixed specifically in Xcode 26. The CVE does not list exact versions, so any build of Xcode 25.x or earlier that compiled the vulnerable applications is considered at risk.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate to high severity, and the EPSS score of less than 1% suggests that the likelihood of exploitation is low, with no known public exploits reported and the vulnerability not listed in CISA KEV. The attack vector is inferred to be local, requiring the attacker to influence a build process or execute the resulting application with the sandbox bypass. Because the flaw is tied to the development environment, it most likely affects developers or build systems that use older Xcode releases.

Generated by OpenCVE AI on April 28, 2026 at 10:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Xcode 26 update or later to incorporate the security fix.
  • Recompile affected applications with the latest SDK to ensure sandbox checks are enforced.
  • After updating, review application entitlements and remove any over‑permissive file access signatures.

Generated by OpenCVE AI on April 28, 2026 at 10:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-29335 The issue was addressed with improved checks. This issue is fixed in Xcode 26. An app may be able to read and write files outside of its sandbox.
History

Tue, 28 Apr 2026 11:15:00 +0000

Type Values Removed Values Added
Title Xcode Sandbox Bypass Grants Unauthorized File Access

Mon, 03 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
References

Wed, 17 Sep 2025 13:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apple:xcode:*:*:*:*:*:*:*:*

Wed, 17 Sep 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple xcode
Vendors & Products Apple
Apple xcode

Tue, 16 Sep 2025 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 15 Sep 2025 22:45:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved checks. This issue is fixed in Xcode 26. An app may be able to read and write files outside of its sandbox.
References

Subscriptions

Apple Xcode
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:11:14.679Z

Reserved: 2025-04-16T15:24:37.099Z

Link: CVE-2025-43263

cve-icon Vulnrichment

Updated: 2025-11-03T18:09:50.030Z

cve-icon NVD

Status : Modified

Published: 2025-09-15T23:15:31.133

Modified: 2025-11-03T19:15:55.273

Link: CVE-2025-43263

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T11:00:14Z

Weaknesses