Cyber Posture

CVE-2026-20622

High

Published: 25 March 2026

Published
25 March 2026
Modified
25 March 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0004 12.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20622 is a high-severity Improper Access Control (CWE-284) vulnerability in Apple Macos. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Screen Capture (T1113); ranked at the 12.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Screen Capture (T1113). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires identification, reporting, and correction of flaws like improper temporary file handling, directly mitigating the vulnerability enabling unauthorized screen capture.

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for access to system resources such as temporary files, preventing apps from reading screen content without permission.

AC-6 Least Privilege good match
prevent

Limits privileges of executing apps to the minimum necessary, blocking unauthorized access to screen data via temporary files.

MITRE ATT&CK Enterprise TechniquesAI

T1113 Screen Capture Collection
Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.
attack.mitre.org →
Why these techniques?

Directly enables unauthorized screen capture by any app due to improper temporary file access control, matching T1113 Screen Capture for confidentiality impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A privacy issue was addressed with improved handling of temporary files. This issue is fixed in macOS Sequoia 15.7.4, macOS Tahoe 26.3. An app may be able to capture a user's screen.

Deeper analysisAI

CVE-2026-20622 is a privacy vulnerability stemming from improper handling of temporary files, classified under CWE-284 (Improper Access Control). It affects macOS Sequoia versions prior to 15.7.4 and macOS Tahoe versions prior to 26.3. The flaw enables an app to capture a user's screen, earning a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility, low attack complexity, and no requirements for privileges or user interaction.

Any app, potentially delivered remotely given the network vector, can exploit this issue to access and capture the user's screen content without authentication or interaction. Attackers achieve high-impact confidentiality breaches by reading sensitive screen data, such as displayed credentials, documents, or other private information, while leaving integrity and availability unaffected.

Apple's security advisories detail the fix through improved temporary file handling, available in macOS Sequoia 15.7.4 and macOS Tahoe 26.3. Practitioners should prioritize updating affected systems, as outlined in the referenced support pages: https://support.apple.com/en-us/126348 and https://support.apple.com/en-us/126349.

Details

CWE(s)
CWE-284

Affected Products

apple
macos
15.0 — 15.7.4 · 26.0 — 26.3

CVEs Like This One

CVE-2025-24241Same product: Apple Macos
CVE-2025-24229Same product: Apple Macos
CVE-2025-30462Same product: Apple Macos
CVE-2025-43192Same product: Apple Macos
CVE-2025-43194Same product: Apple Macos
CVE-2025-43184Same product: Apple Macos
CVE-2026-28837Same product: Apple Macos
CVE-2025-43232Same product: Apple Macos
CVE-2025-30460Same product: Apple Macos
CVE-2024-40858Same product: Apple Macos

References