Description
A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Tahoe 26.4. An app may be able to access sensitive user data.
Published: 2026-03-25
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Data Exposure
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a parsing flaw in how macOS validates directory paths when processing certain requests. This flaw can allow a malicious application to bypass normal path restrictions and read files outside its intended directory, potentially exposing confidential user data. The weakness is a permissive access control flaw, categorized as CWE‑284.

Affected Systems

The issue affects Apple macOS operating systems up to and including macOS Tahoe 26.3. Apple recommends updating to macOS 26.4 where the path validation has been hardened.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score is below 1 %, implying low likelihood of widespread exploitation, and it is not currently listed in the CISA KEV catalog. The flaw can be exploited by any application that can be compelled to process a crafted directory path, which means an attacker could potentially gain read access to arbitrary files on the affected device.

Generated by OpenCVE AI on March 25, 2026 at 21:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the macOS update to version 26.4 or later
  • If unable to update, restrict application permissions to prevent directory traversal
  • Monitor system logs for anomalous file access

Generated by OpenCVE AI on March 25, 2026 at 21:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://support.apple.com/en-us/126794 cve-icon cve-icon
History

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Title Directory Path Parsing Issue Allowing Sensitive Data Access

Wed, 25 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Vendors & Products Apple
Apple macos

Wed, 25 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Tahoe 26.4. An app may be able to access sensitive user data.
References

Subscriptions

Apple Macos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-07T22:50:19.210Z

Reserved: 2025-11-11T14:43:07.860Z

Link: CVE-2026-20632

cve-icon Vulnrichment

Updated: 2026-03-25T19:33:27.771Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T01:17:04.107

Modified: 2026-03-25T20:28:22.920

Link: CVE-2026-20632

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T21:32:24Z

Weaknesses