← Back
2026-03-26 10:55CVE-2026-24068SEC-VLab
PUBLISHED5.2CWE-306

Missing XPC Client & NSXPC endpoint validation leads to privilege escalation in Vienna Assistant (MacOS) - Vienna Symphonic Library

The VSL privileged helper does utilize NSXPC for IPC. The implementation of the "shouldAcceptNewConnection" function, which is used by the NSXPC framework to validate if a client should be allowed to connect to the XPC listener, does not validate clients at all. This means that any process can connect to this service using the configured protocol. A malicious process is able to call all the functions defined in the corresponding HelperToolProtocol. No validation is performed in the functions "writeReceiptFile" and “runUninstaller” of the HelperToolProtocol. This allows an attacker to write files to any location with any data as well as execute any file with any arguments. Any process can call these functions because of the missing XPC client validation described before. The abuse of the missing endpoint validation leads to privilege escalation.

Problem type

Affected products

Vienna Symphonic Library GmbH

Vienna Assistant

1.2.542 - AFFECTED

References

r.sec-consult.com

https://r.sec-consult.com/vsl

third-party-advisory

GitHub Security Advisories

GHSA-ffjr-v44f-52r7

The VSL privileged helper does utilize NSXPC for IPC. The implementation of the ...

https://github.com/advisories/GHSA-ffjr-v44f-52r7

The VSL privileged helper does utilize NSXPC for IPC. The implementation of the "shouldAcceptNewConnection" function, which is used by the NSXPC framework to validate if a client should be allowed to connect to the XPC listener, does not validate clients at all. This means that any process can connect to this service using the configured protocol. A malicious process is able to call all the functions defined in the corresponding HelperToolProtocol. No validation is performed in the functions "writeReceiptFile" and “runUninstaller” of the HelperToolProtocol. This allows an attacker to write files to any location with any data as well as execute any file with any arguments. Any process can call these functions because of the missing XPC client validation described before. The abuse of the missing endpoint validation leads to privilege escalation.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-24068

r.sec-consult.com

https://r.sec-consult.com/vsl

github.com

https://github.com/advisories/GHSA-ffjr-v44f-52r7

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-24068
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-24068",
    "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
    "assignerShortName": "SEC-VLab",
    "dateUpdated": "2026-03-26T13:51:53.385Z",
    "dateReserved": "2026-01-21T11:29:19.853Z",
    "datePublished": "2026-03-26T10:55:54.603Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
        "shortName": "SEC-VLab",
        "dateUpdated": "2026-03-26T10:55:54.603Z"
      },
      "title": "Missing XPC Client & NSXPC endpoint validation leads to privilege escalation in Vienna Assistant (MacOS) - Vienna Symphonic Library",
      "descriptions": [
        {
          "lang": "en",
          "value": "The VSL privileged helper does utilize NSXPC for IPC. The implementation of the \"shouldAcceptNewConnection\" function, which is used by the NSXPC framework to validate if a client should be allowed to connect to the XPC listener, does not validate clients at all. This means that any process can connect to this service using the configured protocol. A malicious process is able to call all the functions defined in the corresponding HelperToolProtocol. No validation is performed in the functions \"writeReceiptFile\" and “runUninstaller” of the HelperToolProtocol. This allows an attacker to write files to any location with any data as well as execute any file with any arguments. Any process can call these functions because of the missing XPC client validation described before. The abuse of the missing endpoint validation leads to privilege escalation.",
          "supportingMedia": [
            {
              "type": "text/html",
              "base64": false,
              "value": "<p>The VSL privileged helper does utilize NSXPC for IPC. The implementation of the \"shouldAcceptNewConnection\" function, which is used by the NSXPC framework to validate if a client should be allowed to connect to the XPC listener, does not validate clients at all.&nbsp;<span>This means that any process can connect to this service using the configured protocol. A malicious process is able to call all the functions defined in the corresponding HelperToolProtocol.&nbsp;</span><span>No validation is performed in the functions \"writeReceiptFile\" and “runUninstaller” of the HelperToolProtocol. This allows an attacker to write files to any location with any data as well as execute any file with any arguments. Any process can call these functions because of the missing XPC client validation described before. The abuse of the missing endpoint validation leads to privilege escalation.</span></p>"
            }
          ]
        }
      ],
      "affected": [
        {
          "vendor": "Vienna Symphonic Library GmbH",
          "product": "Vienna Assistant",
          "platforms": [
            "MacOS"
          ],
          "defaultStatus": "unknown",
          "versions": [
            {
              "version": "1.2.542",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-306 Missing authentication for critical function",
              "cweId": "CWE-306",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://r.sec-consult.com/vsl",
          "tags": [
            "third-party-advisory"
          ]
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-1",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
            }
          ]
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "The vendor was unresponsive and did not respond to any of our communication attempts. Therefore, a patch is not available. In case you are using this product, please approach the vendor and demand a fix.",
          "supportingMedia": [
            {
              "type": "text/html",
              "base64": false,
              "value": "<p>The vendor was unresponsive and did not respond to any of our communication attempts. Therefore, a patch is not available. In case you are using this product, please approach the vendor and demand a fix.</p>"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Florian Haselsteiner, SEC Consult Vulnerability Lab",
          "type": "finder"
        }
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2026-03-26T13:51:53.385Z"
        },
        "title": "CISA ADP Vulnrichment",
        "metrics": [
          {
            "cvssV3_1": {
              "version": "3.1",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "attackVector": "NETWORK",
              "attackComplexity": "LOW",
              "privilegesRequired": "LOW",
              "userInteraction": "NONE",
              "scope": "UNCHANGED",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH"
            }
          },
          {}
        ]
      }
    ]
  }
}