Description
A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data.
Published: 2025-12-12
Score: 3.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted Access to Sensitive User Data
Action: Patch
AI Analysis

Impact

The vulnerability is a permissions issue that bypasses sandbox restrictions, allowing an application to read sensitive user data. The flaw is a weak access control defect. Because the sandbox is insufficiently enforced, an attacker can cause a local data disclosure without elevated privileges. The impact is limited to the sandboxed application and the data it can access, but it still compromises confidential user information.

Affected Systems

This flaw affects Apple macOS Tahoe releases prior to version 26.1. Users running any macOS Tahoe build before 26.1 are potentially vulnerable. The issue is present across all applications that rely on the affected sandbox configuration.

Risk and Exploitability

The CVSS score of 3.3 indicates low overall severity, and the EPSS score of less than 1% suggests an extremely low probability of exploitation. The vulnerability is not listed in CISA KEV. The flaw relies on local sandbox permissions and would require an application to be executed on the system. Based on the description, the likely attack vector is a malicious or compromised application run locally. No remote exploitation path is explicitly described.

Generated by OpenCVE AI on April 22, 2026 at 20:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade macOS to version 26.1 or later to apply the sandbox restriction fix
  • If an update cannot be performed immediately, restrict execution of untrusted applications using Gatekeeper or other application control policies
  • Keep the operating system fully patched by regularly installing the latest security updates

Generated by OpenCVE AI on April 22, 2026 at 20:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://support.apple.com/en-us/125634 cve-icon cve-icon
History

Wed, 22 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Title Permission Issue Allowing Apps to Access Sensitive User Data

Mon, 15 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*

Mon, 15 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 14 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Apple macos Tahoe
Vendors & Products Apple
Apple macos
Apple macos Tahoe

Fri, 12 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Description A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data.
References

Subscriptions

Apple Macos Macos Tahoe
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:09:39.420Z

Reserved: 2025-04-16T15:24:37.120Z

Link: CVE-2025-43404

cve-icon Vulnrichment

Updated: 2025-12-15T19:58:18.527Z

cve-icon NVD

Status : Analyzed

Published: 2025-12-12T21:15:53.913

Modified: 2025-12-15T22:03:51.640

Link: CVE-2025-43404

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T21:00:06Z

Weaknesses