Login Sign Up

CVE-2026-20680

6.5 MEDIUM

📋 TL;DR

This CVE describes a macOS/iOS/iPadOS vulnerability where sandboxed applications can bypass security restrictions to access sensitive user data. The issue affects multiple Apple operating system versions and was addressed through additional restrictions on app state observability. Users running affected versions are vulnerable to data exposure from malicious apps.

💻 Affected Systems

Products:
  • macOS
  • iOS
  • iPadOS
Versions: Versions prior to macOS Tahoe 26.3, macOS Sonoma 14.8.4, macOS Sequoia 15.7.4, iOS 18.7.5, iPadOS 18.7.5, iOS 26.3, iPadOS 26.3
Operating Systems: macOS, iOS, iPadOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations of affected versions are vulnerable. Requires malicious sandboxed app installation.

📦 What is this software?

Ipados by Apple

View all CVEs affecting Ipados →

Ipados by Apple

View all CVEs affecting Ipados →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious sandboxed app exfiltrates sensitive user data including passwords, financial information, personal documents, and authentication tokens.

🟠

Likely Case

Malicious app collects limited user data such as browsing history, contacts, or app-specific data within its sandbox scope.

🟢

If Mitigated

App Store review process catches malicious apps before distribution, and users only install trusted applications from official sources.

🌐 Internet-Facing: LOW - This requires local app execution, not directly exploitable over network.
🏢 Internal Only: MEDIUM - Malicious insider or compromised device could exploit this to access sensitive data.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires user to install malicious app from App Store or sideload. Exploit leverages sandbox escape to access data.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: macOS Tahoe 26.3, macOS Sonoma 14.8.4, macOS Sequoia 15.7.4, iOS 18.7.5, iPadOS 18.7.5, iOS 26.3, iPadOS 26.3

Vendor Advisory: https://support.apple.com/en-us/126346

Restart Required: No

Instructions:

1. Open Settings/System Preferences. 2. Navigate to Software Update. 3. Install available updates. 4. Verify installation by checking version.

🔧 Temporary Workarounds

Restrict App Installation

all

Only install apps from trusted sources and App Store. Disable sideloading.

Review App Permissions

all

Regularly review and restrict app permissions in Privacy & Security settings.

🧯 If You Can't Patch

  • Implement mobile device management (MDM) to control app installation and enforce security policies.
  • Use application allowlisting to only permit trusted applications to run on devices.

🔍 How to Verify

Check if Vulnerable:

Check current OS version against affected versions list. If running older than patched versions, device is vulnerable.

Check Version:

macOS: sw_vers -productVersion, iOS/iPadOS: Settings > General > About > Version

Verify Fix Applied:

Verify OS version matches or exceeds patched versions listed in fix_official.patch_version.

📡 Detection & Monitoring

Log Indicators:

  • Unusual app behavior logs
  • Sandbox violation logs in Console.app
  • Unexpected data access patterns

Network Indicators:

  • Suspicious outbound connections from sandboxed apps
  • Data exfiltration patterns

SIEM Query:

source="apple_sandbox" AND (event="violation" OR event="escape_attempt")

📊 Metadata

CVE ID: CVE-2026-20680
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CWE: CWE-200
EPSS Score: 0.01% exploit probability (1.3th percentile)
Published: February 11, 2026
Last Updated: February 18, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-20680, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)