Cyber Resilience

CVE-2026-20701

High

Published: 25 March 2026

Published
25 March 2026
Modified
25 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0006 18.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20701 is a high-severity Protection Mechanism Failure (CWE-693) vulnerability in Apple Macos. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Network Shared Drive (T1039); ranked at the 18.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).

Deeper analysis

CVE-2026-20701 is an access control vulnerability in macOS that allows an app to connect to a network share without user consent. The issue stems from insufficient sandbox restrictions, classified under CWE-693 (Protection Mechanism Failure). It affects macOS Sequoia versions prior to 15.7.5, macOS Sonoma versions prior to 14.8.5, and macOS Tahoe versions prior to 26.4. The vulnerability received a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity due to its network accessibility and confidentiality impact.

Attackers can exploit this vulnerability remotely without privileges or user interaction by leveraging a malicious app. Once executed, the app gains unauthorized access to a network share, potentially enabling exfiltration of sensitive data. The unchanged scope and lack of integrity or availability disruption focus the risk on data disclosure.

Apple addressed the issue through additional sandbox restrictions in the specified macOS updates: Sequoia 15.7.5, Sonoma 14.8.5, and Tahoe 26.4. Official advisories are available at https://support.apple.com/en-us/126794, https://support.apple.com/en-us/126795, and https://support.apple.com/en-us/126796, recommending immediate patching for affected systems.

EU & UK References

Vulnerability details

An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to connect to a network share without user consent.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1039 Data from Network Shared Drive Collection
Adversaries may search network shares on computers they have compromised to find files of interest.
Why these techniques?

Sandbox bypass directly enables unauthorized access to and data collection from network shared drives via malicious app.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-43261Same product: Apple Macos
CVE-2025-46290Same product: Apple Macos
CVE-2025-24232Same product: Apple Macos
CVE-2024-54509Same product: Apple Macos
CVE-2025-24176Same product: Apple Macos
CVE-2025-31194Same product: Apple Macos
CVE-2025-24103Same product: Apple Macos
CVE-2025-24265Same product: Apple Macos
CVE-2025-24135Same product: Apple Macos
CVE-2024-44286Same product: Apple Macos

Affected Assets

apple
macos
14.0 — 14.8.5 · 15.0 — 15.7.5 · 26.0 — 26.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations via sandbox restrictions to prevent apps from accessing network shares without user consent.

prevent

Provides process isolation through sandboxing to restrict malicious apps from bypassing controls and connecting to network shares.

prevent

Controls information flow to external network shares, mitigating unauthorized connections by apps exploiting sandbox weaknesses.

References