Description
A permissions issue was addressed with additional restrictions. This issue is fixed in Xcode 26.4. An app may be able to read arbitrary files as root.
Published: 2026-03-25
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

A flaw in Apple Xcode allows an application to read any file with root permissions, effectively granting the attacker elevated system privileges and enabling access to sensitive data. This is an improper privilege management issue that can be exploited to exfiltrate confidential files or information that should be restricted to the operating system. No denial of service or remote code execution is described, but the ability to read root–protected files directly violates confidentiality and integrity.

Affected Systems

Apple Xcode versions prior to 26.4 are affected. The vulnerability is fixed in the 26.4 release, so any installation running an older revision remains vulnerable until an update is installed.

Risk and Exploitability

The CVSS score of 6.2 indicates a medium severity level, and the EPSS score of less than 1% implies that exploitation is not expected to be widespread. The flaw is not listed in the CISA KEV catalog, further indicating limited current exploitation. Based on the description, the attack vector is inferred to be local or developer‑based, where a malicious or improperly configured application within Xcode could read arbitrary files. No public exploit or zero‑day kit has been reported, but the issue remains serious enough to warrant timely patching.

Generated by OpenCVE AI on March 26, 2026 at 19:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Xcode to version 26.4 or later to apply the patch.

Generated by OpenCVE AI on March 26, 2026 at 19:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://support.apple.com/en-us/126801 cve-icon cve-icon
History

Thu, 26 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apple:xcode:*:*:*:*:*:*:*:*

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Title Xcode Permissions Error Enabling Arbitrary Root File Read
Weaknesses CWE-200
CWE-284

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Title Xcode Permissions Error Enabling Arbitrary Root File Read
Weaknesses CWE-200
CWE-284

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple xcode
Vendors & Products Apple
Apple xcode

Wed, 25 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description A permissions issue was addressed with additional restrictions. This issue is fixed in Xcode 26.4. An app may be able to read arbitrary files as root.
References

Subscriptions

Apple Xcode
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:11:05.556Z

Reserved: 2026-03-03T16:36:03.980Z

Link: CVE-2026-28889

cve-icon Vulnrichment

Updated: 2026-03-25T19:13:25.594Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T01:17:12.380

Modified: 2026-03-26T18:24:45.947

Link: CVE-2026-28889

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:20:15Z

Weaknesses