Description
An authorization issue was addressed with improved state management. This issue is fixed in macOS Tahoe 26.4. An app may be able to access sensitive user data.
Published: 2026-05-11
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an authorization weakness that enables an application to read sensitive user data without the required permissions, potentially leading to data disclosure. The vulnerability arises from deficient state management that fails to enforce proper access controls. As a result, an app with sufficient local execution context could bypass user‑level safeguards and expose private information.

Affected Systems

Apple macOS Tahoe releases earlier than version 26.4 are affected. The fix is incorporated in macOS Tahoe 26.4, so systems running any earlier build remain vulnerable.

Risk and Exploitability

The EPSS score of less than 1% indicates a low probability of active exploitation, and the CVSS score of 5.5 denotes moderate risk. The vulnerability is not listed in CISA KEV. Exploitation would likely occur through a locally running application that can take advantage of the flawed authorization logic; no publicly documented remote or network attack vector is provided.

Generated by OpenCVE AI on May 13, 2026 at 00:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the operating system to macOS Tahoe 26.4 or later to obtain the patch that corrects the state‑management flaw.
  • If upgrading is not immediately possible, limit application privileges by configuring sandboxing or enforcing least‑privilege execution policies.
  • Monitor installed applications for anomalous attempts to access user data and audit logs for unauthorized data read activity.

Generated by OpenCVE AI on May 13, 2026 at 00:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://support.apple.com/en-us/126794 cve-icon cve-icon
History

Wed, 13 May 2026 00:45:00 +0000

Type Values Removed Values Added
Title Authorization weakness allows apps to access sensitive user data without permission in macOS Tahoe

Tue, 12 May 2026 23:00:00 +0000

Type Values Removed Values Added
Title macOS Tahoe Authorization Flaw Exposing User Data
Weaknesses CWE-284

Tue, 12 May 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*

Tue, 12 May 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-862
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 22:45:00 +0000

Type Values Removed Values Added
Title macOS Tahoe Authorization Flaw Exposing User Data
Weaknesses CWE-284

Mon, 11 May 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Vendors & Products Apple
Apple macos

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description An authorization issue was addressed with improved state management. This issue is fixed in macOS Tahoe 26.4. An app may be able to access sensitive user data.
References

Subscriptions

Apple Macos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-05-12T18:34:40.108Z

Reserved: 2025-11-11T14:43:07.876Z

Link: CVE-2026-20696

cve-icon Vulnrichment

Updated: 2026-05-12T18:34:07.102Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-11T21:18:50.830

Modified: 2026-05-12T19:48:01.077

Link: CVE-2026-20696

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T00:30:28Z

Weaknesses