Description
A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Tahoe 26.3. An app may be able to access sensitive user data.
Published: 2026-02-11
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Data Exposure
Action: Update macOS
AI Analysis

Impact

A parsing issue in the handling of directory paths can allow an application to read files outside its intended scope. The vulnerability is triggered by insufficient path validation and can expose sensitive user data such as personal documents or system configuration files. The weakness is a classic path traversal flaw (CWE‑22).

Affected Systems

Apple macOS systems running versions prior to the macOS Tahoe 26.3 release are affected. The patch that remediates the issue is provided in macOS Tahoe 26.3 and later releases.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, and the EPSS score of less than 1 percent shows a very low current exploitation probability. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. Based on the description, it is inferred that the likely attack vector is local execution by a malicious application that a user has installed, rather than a remote attacker. Successful exploitation would allow that application to read otherwise protected files, compromising confidentiality.

Generated by OpenCVE AI on April 16, 2026 at 00:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade macOS to version 26.3 or later to receive the patch that validates directory paths correctly
  • Verify that no additional untrusted applications have permissions to access sensitive directories; revoke or uninstall them as necessary
  • Implement or enforce application sandboxing policies to limit file system access for third‑party apps

Generated by OpenCVE AI on April 16, 2026 at 00:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://support.apple.com/en-us/126348 cve-icon cve-icon
History

Thu, 16 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Title Directory Path Parsing Issue Allowing Sensitive Data Exposure in macOS

Thu, 12 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Thu, 12 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Thu, 12 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Vendors & Products Apple
Apple macos

Wed, 11 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Tahoe 26.3. An app may be able to access sensitive user data.
References

Subscriptions

Apple Macos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:23:12.009Z

Reserved: 2025-11-11T14:43:07.866Z

Link: CVE-2026-20669

cve-icon Vulnrichment

Updated: 2026-02-12T19:14:15.137Z

cve-icon NVD

Status : Modified

Published: 2026-02-11T23:16:09.217

Modified: 2026-02-12T20:16:04.993

Link: CVE-2026-20669

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T01:00:19Z

Weaknesses