Description
CVE-2026-33448 is a format string vulnerability in the logging subsystem
of Secure Access client for MacOS prior to 14.50. Attackers with
control of a modified server can force the client to dump the contents
of a small portion of memory to the log files potentially revealing
secrets.
Published: 2026-04-30
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The logging subsystem in Absolute Software Secure Access for MacOS prior to version 14.50 contains a format string vulnerability (CWE‑134) that allows a malicious server to craft log messages that force the client to output arbitrary memory contents to its log files. The disclosed memory may include sensitive data such as credentials or cryptographic material, representing a partial data leakage risk.

Affected Systems

Vulnerable builds are any Secure Access client for MacOS running a version earlier than 14.50 provided by Absolute Software. Only the MacOS client is affected, and no other operating systems or products are listed.

Risk and Exploitability

The CVSS score of 4.8 classifies the issue as "Low" severity. The EPSS score is not available, and the vulnerability is not listed in CISA's KEV catalog, indicating a low likelihood of widespread exploitation. An attacker must control a server that the client connects to, which is typically a remote operation. If the client is configured to communicate with untrusted or malicious servers, the risk escalates, but overall exploitation remains moderate and driven by the availability of a compromised server.

Generated by OpenCVE AI on May 1, 2026 at 05:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Secure Access 14.50 or later.
  • Restrict the client so it communicates only with trusted servers and block any unknown or untrusted servers.
  • Monitor log files for abnormal memory dump entries and disable logging of sensitive information if possible.

Generated by OpenCVE AI on May 1, 2026 at 05:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 May 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Absolute
Absolute secure Access
Vendors & Products Absolute
Absolute secure Access

Fri, 01 May 2026 05:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-134

Thu, 30 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description CVE-2026-33448 is a format string vulnerability in the logging subsystem of Secure Access client for MacOS prior to 14.50. Attackers with control of a modified server can force the client to dump the contents of a small portion of memory to the log files potentially revealing secrets.
Title Format string vulnerability in MacOS clients prior to 14.50
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Absolute Secure Access
cve-icon MITRE

Status: PUBLISHED

Assigner: Absolute

Published:

Updated: 2026-05-01T14:35:03.996Z

Reserved: 2026-03-19T23:04:05.695Z

Link: CVE-2026-33448

cve-icon Vulnrichment

Updated: 2026-05-01T14:34:58.503Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-30T20:16:24.093

Modified: 2026-05-01T15:28:29.083

Link: CVE-2026-33448

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:15:12Z

Weaknesses