CVE-2026-20626
Published: 11 February 2026
Summary
CVE-2026-20626 is a high-severity Missing Authorization (CWE-862) vulnerability in Apple Macos. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to system resources, directly mitigating the missing authorization checks that enable malicious apps to escalate to root privileges.
Employs least privilege to restrict user and process access to only necessary permissions, preventing low-privileged malicious apps from gaining root-level control.
Requires timely remediation of flaws through patching, addressing the specific authorization vulnerability fixed in updated Apple OS versions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization vulnerability directly enables local privilege escalation from low-privileged context (e.g., malicious app) to root via exploitation of the flaw.
NVD Description
This issue was addressed with improved checks. This issue is fixed in iOS 26.3 and iPadOS 26.3, macOS Sequoia 15.7.4, macOS Tahoe 26.3, visionOS 26.3. A malicious app may be able to gain root privileges.
Deeper analysisAI
CVE-2026-20626 is a missing authorization vulnerability (CWE-862) in Apple operating systems that enables privilege escalation. It affects iOS versions prior to 26.3, iPadOS prior to 26.3, macOS Sequoia prior to 15.7.4, macOS Tahoe prior to 26.3, and visionOS prior to 26.3. The issue was addressed through improved checks, as indicated by its CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting high-impact local exploitation potential.
A local attacker with low privileges, such as one executing a malicious app installed by the user, can exploit this vulnerability to gain root privileges on the affected system. Successful exploitation grants full control, potentially allowing unauthorized access to sensitive data, modification of system files, and disruption of services, with high impacts on confidentiality, integrity, and availability.
Apple's security advisories detail the fix via improved authorization checks in the listed patched versions. Relevant support pages include https://support.apple.com/en-us/126346, https://support.apple.com/en-us/126348, https://support.apple.com/en-us/126349, and https://support.apple.com/en-us/126353, which practitioners should review for full patch details and deployment guidance.
Details
- CWE(s)