Description
This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia 15.4. An app may be able to access protected user data.
Published: 2026-06-11
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from insufficient validation of symbolic links during file system operations. An application that follows a symlink pointing to a protected file can unintentionally read data that should remain confidential, effectively exposing protected user information. The flaw represents an improper access control issue that further relies on the lack of proper input validation for symbolic link paths.

Affected Systems

Apple macOS is affected; the issue exists in all macOS Sequoia releases prior to 15.4. The flaw was addressed in macOS Sequoia 15.4 and later.

Risk and Exploitability

The CVSS score is 5.5; the EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Attackers would need local execution privileges to create or control a symbolic link that points to sensitive data, indicating the problem is local with no documented remote exploitation path. Thus, the likelihood of exploitation is limited to scenarios where an app can write to a directory that may contain a symlink to protected files.

Generated by OpenCVE AI on June 11, 2026 at 22:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade macOS to Sequoia 15.4 or later, which includes the symlink handling fix.
  • Ensure the system’s software update settings are configured to automatically install critical security updates.
  • If an immediate upgrade is not possible, restrict permissions of third‑party applications and limit write access to directories that may contain sensitive data to prevent symlink manipulation.

Generated by OpenCVE AI on June 11, 2026 at 22:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://support.apple.com/en-us/122373 cve-icon cve-icon
History

Thu, 11 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-284

Thu, 11 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Title Symlink Abuse Allows Apps to Read Protected User Data on macOS
First Time appeared Apple
Apple macos
Weaknesses CWE-20
CWE-284
Vendors & Products Apple
Apple macos

Thu, 11 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-59
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia 15.4. An app may be able to access protected user data.
References

Subscriptions

Apple Macos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-06-11T19:33:29.543Z

Reserved: 2025-04-22T21:13:49.959Z

Link: CVE-2025-46293

cve-icon Vulnrichment

Updated: 2026-06-11T19:33:19.922Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-11T19:16:34.407

Modified: 2026-06-11T20:51:53.840

Link: CVE-2025-46293

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T22:15:09Z

Weaknesses
  • CWE-59

    Improper Link Resolution Before File Access ('Link Following')