CVE-2026-20612

Root

Cause

CVE-2026-20612 is a privacy issue affecting multiple macOS versions. The root cause is a logic flaw in how the system validates directory paths, described as a "parsing issue" in the reference for macOS Tahoe [1], an "authorization issue" in Sonoma [2], and an "injection issue" in Sequoia [3]. While the description varies slightly across branches, the core problem is inadequate validation of path data, which can be exploited to bypass privacy protections.

Exploitation

An attacker needs to trick a user into running a malicious app on an affected macOS system. No special network privileges are required; the attack relies on local app execution. The flaw allows the app to access file-system paths or resources it should not be entitled to, effectively bypassing normal sandbox restrictions or user consent prompts.

Impact

If exploited, the app can read sensitive user data such as documents, photos, or settings that are protected by macOS privacy controls. This constitutes a confidentiality breach, with a CVSS v3 base score of 5.5 (Medium).

Mitigation

Apple has released patches in macOS Sequoia 15.7.4, macOS Sonoma 14.8.4, and macOS Tahoe 26.3 on February 11, 2026 [1][2][3]. Users should update to the latest version. There is no indication of a workaround; applying the security update is the only reliable mitigation.