{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-31186", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "state": "PUBLISHED", "assignerShortName": "apple", "dateReserved": "2025-03-27T16:13:58.311Z", "datePublished": "2026-01-16T17:06:10.519Z", "dateUpdated": "2026-04-02T18:24:28.343Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "An app may be able to bypass Privacy preferences"}]}], "affected": [{"vendor": "Apple", "product": "Xcode", "versions": [{"version": "0", "status": "affected", "lessThan": "16.3", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "A permissions issue was addressed with additional restrictions. This issue is fixed in Xcode 16.3. An app may be able to bypass Privacy preferences."}], "references": [{"url": "https://support.apple.com/en-us/122380"}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2026-04-02T18:24:28.343Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "CWE-284 Improper Access Control"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-16T18:26:21.212263Z", "id": "CVE-2025-31186", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T18:28:37.081Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-31186", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-16T18:26:21.212263Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T18:28:08.345Z"}}], "cna": {"affected": [{"vendor": "Apple", "product": "Xcode", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "16.3", "versionType": "custom"}]}], "references": [{"url": "https://support.apple.com/en-us/122380"}], "descriptions": [{"lang": "en", "value": "A permissions issue was addressed with additional restrictions. This issue is fixed in Xcode 16.3. An app may be able to bypass Privacy preferences."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "An app may be able to bypass Privacy preferences"}]}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2026-01-16T17:06:10.519Z"}}}, "cveMetadata": {"cveId": "CVE-2025-31186", "state": "PUBLISHED", "dateUpdated": "2026-01-16T18:28:37.081Z", "dateReserved": "2025-03-27T16:13:58.311Z", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "datePublished": "2026-01-16T17:06:10.519Z", "assignerShortName": "apple"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apple:xcode:*:*:*:*:*:*:*:*", "matchCriteriaId": "EBF1CF04-EF61-4499-90E6-EAF48F313E0B", "versionEndExcluding": "16.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A permissions issue was addressed with additional restrictions. This issue is fixed in Xcode 16.3. An app may be able to bypass Privacy preferences."}], "id": "CVE-2025-31186", "lastModified": "2026-01-27T20:19:59.627", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-16T18:16:07.260", "references": [{"source": "product-security@apple.com", "tags": ["Vendor Advisory"], "url": "https://support.apple.com/en-us/122380"}], "sourceIdentifier": "product-security@apple.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T21:38:51.742123+00:00", "value": {"mitigation_remediation": ["Upgrade Xcode to version 16.3 or later, where the permission enforcement has been strengthened.", "Rebuild all existing projects using the updated Xcode to ensure new binaries inherit the corrected access controls.", "Review and test application privacy permission handling to confirm that sensitive privacy settings are protected after rebuilding."], "summary": {"action": "Patch Xcode", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The flaw affects all installations of Xcode prior to version 16.3. Developers using older releases, or building applications on those versions, are exposed to the risk of creating binaries that can circumvent privacy controls on macOS or iOS devices. Any developer environment or team that has not yet upgraded may produce software that unintentionally or intentionally bypasses user privacy preferences.", "description_and_impact": "This vulnerability arises from an improperly enforced access control within Xcode, which may allow an application to override standard privacy preference restrictions. Because the permission enforcement is weakened, a malicious or poorly coded application could potentially access or modify user privacy settings that should normally be safeguarded. The weakness is mitigated in Xcode 16.3, where additional restrictions have been implemented.", "risk_and_exploitability": "The CVSS score of 3.3 denotes low severity, and the EPSS score indicates a probability of exploitation below 1%, suggesting limited demand or availability of exploit code. Nonetheless, the issue is included in Apple\u2019s advisory and is not listed in the CISA KEV catalog, pointing to moderate risk. The attack would likely be carried out by a developer or an application distributed by a malicious party, and would require the affected code to be executed on a system where the privacy settings are accessible. The best defense is to reach the patched release of Xcode, eliminating the software flaw."}}}}, "created": "2026-01-19T09:20:38.908468+00:00", "title": "Xcode Permissions Issue Allowing Apps to Bypass Privacy Preferences", "updated": "2026-04-27T21:45:14.530650+00:00", "vendors": ["apple", "apple$PRODUCT$xcode"]}