Description
A path handling issue was addressed with improved logic. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to observe unprotected user data.
Published: 2026-05-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A path handling issue was identified in macOS that permits a malicious or compromised application to observe unprotected user data. The flaw arises from insufficient validation of file system paths, which enables information disclosure and corresponds to an unauthorized access vulnerability (CWE‑552).

Affected Systems

Apple macOS is affected. Versions of macOS Sequoia earlier than 15.7.7, macOS Sonoma earlier than 14.8.7, and macOS Tahoe earlier than 26.5 are vulnerable. The issue was mitigated in the releases mentioned in the advisory.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. An attacker could leverage this flaw from any application that can access the file system, typically on the same local workstation. The risk remains primarily local, affecting the confidentiality of sensitive files accessible to the user or applications with user privileges.

Generated by OpenCVE AI on May 12, 2026 at 18:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade macOS to the latest releases that contain the fix: Sequoia 15.7.7, Sonoma 14.8.7, or Tahoe 26.5.
  • Restart the system to ensure that updated binaries are loaded.
  • Consider temporarily disabling or monitoring third‑party applications that have previously accessed sensitive files until the update is applied.

Generated by OpenCVE AI on May 12, 2026 at 18:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 19:00:00 +0000

Type Values Removed Values Added
Title Path Handling Vulnerability Allows Unauthorized Observation of User Data

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*

Tue, 12 May 2026 16:30:00 +0000

Type Values Removed Values Added
Title Path Handling Issue Allows Observation of Unprotected User Data
Weaknesses CWE-200

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-552
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 22:45:00 +0000

Type Values Removed Values Added
Title Path Handling Issue Allows Observation of Unprotected User Data
First Time appeared Apple
Apple macos
Weaknesses CWE-200
Vendors & Products Apple
Apple macos

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description A path handling issue was addressed with improved logic. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to observe unprotected user data.
References

Subscriptions

Apple Macos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-05-12T13:11:39.885Z

Reserved: 2026-04-07T19:58:20.173Z

Link: CVE-2026-39871

cve-icon Vulnrichment

Updated: 2026-05-12T13:11:25.119Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-11T21:19:00.050

Modified: 2026-05-12T17:17:16.833

Link: CVE-2026-39871

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T18:45:05Z

Weaknesses