CVE-2026-43652 Overview
CVE-2026-43652 is a permissions vulnerability in Apple macOS that allows an application to access protected user data. Apple addressed the issue with additional restrictions in macOS Tahoe 26.5. The flaw is categorized under [CWE-284] Improper Access Control and stems from insufficient enforcement of permission boundaries around protected resources.
Critical Impact
An application running on an affected macOS system may bypass permission controls to read protected user data, exposing sensitive files and information without explicit user consent.
Affected Products
- Apple macOS versions prior to macOS Tahoe 26.5
- Applications relying on macOS permission enforcement for protected user data
- Endpoints managed under Apple ecosystem deployments
Discovery Timeline
- 2026-05-11 - CVE-2026-43652 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-43652
Vulnerability Analysis
The vulnerability resides in macOS permission enforcement logic governing access to protected user data. An application can reach data the operating system should otherwise restrict behind Transparency, Consent, and Control (TCC) or similar permission boundaries. Apple's advisory describes the remediation as adding further restrictions, indicating the original logic permitted access paths that bypassed intended user consent checks.
Exploitation results in confidentiality impact without affecting integrity or availability. The flaw does not require user interaction or prior authentication on the host. Successful exploitation exposes protected user data such as files, application-specific data, or other resources gated by macOS privacy controls.
The issue is tracked under the broader CWE-284 Improper Access Control category. Apple's advisory at Apple Support Document 127115 confirms the fix is delivered in macOS Tahoe 26.5.
Root Cause
The root cause is an access control gap where macOS did not adequately validate permissions before allowing an application to reach protected user data. The remediation tightens these checks by adding restrictions to the permission evaluation flow.
Attack Vector
A local application leverages the permission gap to request or reach protected data outside its sanctioned scope. The CVSS vector indicates network-reachable attack characteristics, but the practical exploitation centers on an installed or executed application accessing protected resources it should not reach.
No public proof-of-concept code or exploit has been published. Refer to the Apple Support Document for vendor-confirmed technical context.
Detection Methods for CVE-2026-43652
Indicators of Compromise
- Unexpected application access to directories under ~/Library, ~/Documents, or other TCC-protected paths
- Processes reading sensitive user data without corresponding TCC prompts or grants in TCC.db
- Anomalous file read activity from non-system applications targeting protected user containers
Detection Strategies
- Monitor Endpoint Security Framework (ESF) events for ES_EVENT_TYPE_NOTIFY_OPEN and ES_EVENT_TYPE_NOTIFY_READDIR against protected user directories
- Audit TCC.db modifications and unexpected privilege grants on managed macOS endpoints
- Correlate application execution telemetry with file access patterns to identify scope violations
Monitoring Recommendations
- Track macOS build versions across the fleet and flag any host running a version earlier than macOS Tahoe 26.5
- Aggregate process and file access telemetry from macOS endpoints into a centralized analytics platform for behavioral baselining
- Alert on applications accessing user data categories they have not historically required
How to Mitigate CVE-2026-43652
Immediate Actions Required
- Upgrade all affected macOS systems to macOS Tahoe 26.5 or later
- Inventory installed third-party applications and review their requested privacy permissions
- Revoke unnecessary Full Disk Access, Files and Folders, and other sensitive TCC permissions from non-essential applications
Patch Information
Apple released the fix in macOS Tahoe 26.5. Details are published in the Apple Support Document. Administrators should deploy the update through Apple software update mechanisms or mobile device management (MDM) tooling.
Workarounds
- Restrict installation of untrusted applications via MDM application allowlisting until patched
- Apply the principle of least privilege to TCC permission grants on macOS endpoints
- Isolate systems handling sensitive user data from untrusted code execution paths
# Verify installed macOS version meets the patched build
sw_vers -productVersion
# Trigger a software update check (administrator)
sudo softwareupdate --list
sudo softwareupdate --install --all --restart
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
