Cyber Posture

CVE-2026-20701

High

Published: 25 March 2026

Published
25 March 2026
Modified
25 March 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0006 17.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20701 is a high-severity Protection Mechanism Failure (CWE-693) vulnerability in Apple Macos. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Network Shared Drive (T1039); ranked at the 17.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Network Shared Drive (T1039). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Directly enforces approved authorizations via sandbox restrictions to prevent apps from accessing network shares without user consent.

SC-39 Process Isolation good match
prevent

Provides process isolation through sandboxing to restrict malicious apps from bypassing controls and connecting to network shares.

AC-4 Information Flow Enforcement good match
prevent

Controls information flow to external network shares, mitigating unauthorized connections by apps exploiting sandbox weaknesses.

MITRE ATT&CK Enterprise TechniquesAI

T1039 Data from Network Shared Drive Collection
Adversaries may search network shares on computers they have compromised to find files of interest.
attack.mitre.org →
Why these techniques?

Sandbox bypass directly enables unauthorized access to and data collection from network shared drives via malicious app.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to connect to a network share without user consent.

Deeper analysisAI

CVE-2026-20701 is an access control vulnerability in macOS that allows an app to connect to a network share without user consent. The issue stems from insufficient sandbox restrictions, classified under CWE-693 (Protection Mechanism Failure). It affects macOS Sequoia versions prior to 15.7.5, macOS Sonoma versions prior to 14.8.5, and macOS Tahoe versions prior to 26.4. The vulnerability received a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity due to its network accessibility and confidentiality impact.

Attackers can exploit this vulnerability remotely without privileges or user interaction by leveraging a malicious app. Once executed, the app gains unauthorized access to a network share, potentially enabling exfiltration of sensitive data. The unchanged scope and lack of integrity or availability disruption focus the risk on data disclosure.

Apple addressed the issue through additional sandbox restrictions in the specified macOS updates: Sequoia 15.7.5, Sonoma 14.8.5, and Tahoe 26.4. Official advisories are available at https://support.apple.com/en-us/126794, https://support.apple.com/en-us/126795, and https://support.apple.com/en-us/126796, recommending immediate patching for affected systems.

Details

CWE(s)
CWE-693

Affected Products

apple
macos
14.0 — 14.8.5 · 15.0 — 15.7.5 · 26.0 — 26.4

CVEs Like This One

CVE-2025-43261Same product: Apple Macos
CVE-2025-46290Same product: Apple Macos
CVE-2025-30452Same product: Apple Macos
CVE-2025-43219Same product: Apple Macos
CVE-2025-43189Same product: Apple Macos
CVE-2025-24267Same product: Apple Macos
CVE-2025-24245Same product: Apple Macos
CVE-2026-28817Same product: Apple Macos
CVE-2025-24109Same product: Apple Macos
CVE-2025-24277Same product: Apple Macos

References