CVE-2026-20688
Published: 25 March 2026
Summary
CVE-2026-20688 is a critical-severity Path Traversal (CWE-22) vulnerability in Apple Macos. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 8.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-39 (Process Isolation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of path inputs to directly prevent path traversal exploits that enable sandbox escape.
Maintains process isolation enforced by sandboxing to block unauthorized access to system resources via path manipulation.
Enforces access control policies that sandbox mechanisms implement, mitigating breakout attempts through improper path handling.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal (CWE-22) directly enables local sandbox escape, mapping to exploitation for privilege escalation to obtain elevated system access.
NVD Description
A path handling issue was addressed with improved validation. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, visionOS 26.4. An app may be able to break out of its…
more
sandbox.
Deeper analysisAI
CVE-2026-20688 is a path handling vulnerability (CWE-22) in Apple operating systems, addressed through improved validation of paths. It affects iOS and iPadOS versions prior to 26.4, macOS Sequoia prior to 15.7.5, macOS Sonoma prior to 14.8.5, macOS Tahoe prior to 26.4, and visionOS prior to 26.4. The flaw enables an app to break out of its sandbox, earning a CVSS v3.1 base score of 9.3 (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to high impacts across confidentiality, integrity, and availability with a scope change.
A local attacker can exploit this vulnerability with low complexity, requiring no privileges or user interaction. Successful exploitation allows the malicious app to escape its sandboxed environment, potentially granting elevated access to system resources and enabling full compromise of the affected device.
Apple security advisories detail the patch availability, confirming the issue is fixed in iOS 26.4, iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, and visionOS 26.4. Practitioners should prioritize updating affected devices; further details are available in the referenced support pages at https://support.apple.com/en-us/126792, https://support.apple.com/en-us/126794, https://support.apple.com/en-us/126795, https://support.apple.com/en-us/126796, and https://support.apple.com/en-us/126799.
Details
- CWE(s)