CVE-2024-14032
Published: 06 April 2026
Summary
CVE-2024-14032 is a high-severity Missing Authorization (CWE-862) vulnerability in Twitch Twitch Studio. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2024-14032 is a privilege escalation vulnerability in Twitch Studio version 0.114.8 and prior, stemming from an unprotected XPC service in its privileged helper tool. This flaw, classified under CWE-862 (Missing Authorization), enables local attackers to invoke the installFromPath:toPath:withReply: method to overwrite system files and privileged binaries, resulting in arbitrary code execution as root and full system compromise. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Local attackers with low privileges (PR:L) can exploit the issue with low complexity (AC:L) and no user interaction (UI:N), achieving high impacts across confidentiality, integrity, and availability. Exploitation requires only local access to the system running the affected Twitch Studio version, allowing attackers to escalate privileges to root and maintain persistent control.
Advisories referenced in VulnCheck and IRU publications detail the unprotected XPC service and potential for root-level file writes, while Twitch support pages cover related software topics. No patches are available, as Twitch Studio was discontinued in May 2024.
Security practitioners should prioritize uninstalling Twitch Studio from affected macOS systems, given the discontinuation and lack of vendor support.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-55535
Vulnerability details
Twitch Studio version 0.114.8 and prior contain a privilege escalation vulnerability in its privileged helper tool that allows local attackers to execute arbitrary code as root by exploiting an unprotected XPC service. Attackers can invoke the installFromPath:toPath:withReply: method to overwrite…
more
system files and privileged binaries, achieving full system compromise. Twitch Studio was discontinued in May 2024.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct local privilege escalation via exploitation of unprotected XPC privileged helper allowing file/binary overwrite for root code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces least privilege on the privileged helper tool to prevent low-privileged local attackers from invoking root-level XPC methods for privilege escalation.
Requires the unprotected XPC service to enforce approved authorizations, blocking unauthorized access to methods that enable system file overwrites.
Implements a reference monitor to mediate all accesses by the privileged helper tool, preventing exploitation of missing authorization in XPC services.