CVE-2024-40787
Description
This issue was addressed by adding an additional prompt for user consent. This issue is fixed in iOS 17.6 and iPadOS 17.6, macOS Monterey 12.7.6, macOS Sonoma 14.6, macOS Ventura 13.6.8, watchOS 10.6. A shortcut may be able to bypass Internet permission requirements.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A shortcut in Apple operating systems may bypass Internet permission requirements, addressed by adding an additional user consent prompt.
Vulnerability
CVE-2024-40787 is a security issue in Apple's Shortcuts app that allows a shortcut to bypass Internet permission requirements. The root cause is insufficient user consent prompting, which the vendor addressed by adding an additional prompt for user consent [1].
Exploitation
To exploit this vulnerability, an attacker would need to create a malicious shortcut that attempts to access the Internet without proper authorization. The attack vector is local, requiring the user to run the shortcut, but no special privileges beyond Shortcuts execution are needed. User interaction is required to initiate the shortcut [4].
Impact
Successful exploitation could allow a shortcut to access the Internet without the user's explicit permission, potentially leading to unauthorized data transmission or exposure of private information. The impact is limited to Internet access bypass, not full system compromise.
Mitigation
Apple has fixed this issue in iOS 17.6, iPadOS 17.6, macOS Monterey 12.7.6, macOS Sonoma 14.6, macOS Ventura 13.6.8, and watchOS 10.6. Users should update their devices to the latest versions to protect against this vulnerability [1][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*range: <10.6
- (no CPE)range: = 10.6
- Range: = 12.7.6
- Range: = 17.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
20- seclists.org/fulldisclosure/2024/Jul/16nvdMailing ListThird Party Advisory
- seclists.org/fulldisclosure/2024/Jul/18nvdMailing ListThird Party Advisory
- seclists.org/fulldisclosure/2024/Jul/19nvdMailing ListThird Party Advisory
- seclists.org/fulldisclosure/2024/Jul/20nvdMailing ListThird Party Advisory
- seclists.org/fulldisclosure/2024/Jul/21nvdMailing ListThird Party Advisory
- support.apple.com/en-us/HT214117nvdVendor Advisory
- support.apple.com/en-us/HT214118nvdVendor Advisory
- support.apple.com/en-us/HT214119nvdVendor Advisory
- support.apple.com/en-us/HT214120nvdVendor Advisory
- support.apple.com/en-us/HT214124nvdVendor Advisory
- support.apple.com/en-us/120909nvd
- support.apple.com/en-us/120910nvd
- support.apple.com/en-us/120911nvd
- support.apple.com/en-us/120912nvd
- support.apple.com/en-us/120916nvd
- support.apple.com/kb/HT214117nvd
- support.apple.com/kb/HT214118nvd
- support.apple.com/kb/HT214119nvd
- support.apple.com/kb/HT214120nvd
- support.apple.com/kb/HT214124nvd
News mentions
0No linked articles in our index yet.