{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24062", "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "state": "PUBLISHED", "assignerShortName": "SEC-VLab", "dateReserved": "2026-01-21T11:29:19.852Z", "datePublished": "2026-03-18T15:24:07.985Z", "dateUpdated": "2026-03-18T15:55:32.532Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "shortName": "SEC-VLab", "dateUpdated": "2026-03-18T15:24:07.985Z"}, "title": "Insufficient XPC Client validation leading to local privilege escalation in Arturia Software Center", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-306", "description": "CWE-306 Missing authentication for critical function", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "affected": [{"vendor": "Arturia", "product": "Software Center", "platforms": ["MacOS"], "versions": [{"status": "affected", "version": "2.12.0.3157"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "The \"Privileged Helper\" component of the Arturia Software Center (MacOS) does not perform sufficient client code signature validation when a client connects.\u00a0This leads to an attacker being able to connect to the helper and execute privileged actions leading to local privilege escalation.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>The \"Privileged Helper\" component of the Arturia Software Center (MacOS) does not perform sufficient client code signature validation when a client connects.&nbsp;<span>This leads to an attacker being able to connect to the helper and execute privileged actions leading to local privilege escalation.</span></p><br>"}]}], "references": [{"url": "https://r.sec-consult.com/arturia", "tags": ["third-party-advisory"]}], "solutions": [{"lang": "en", "value": "The vendor was unresponsive and did not respond to any of our communication attempts. Therefore, a patch is not available. In case you are using this product, please approach the vendor and demand a fix.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>The vendor was unresponsive and did not respond to any of our communication attempts. Therefore, a patch is not available. In case you are using this product, please approach the vendor and demand a fix.</p>"}]}], "credits": [{"lang": "en", "value": "Florian Haselsteiner, SEC Consult Vulnerability Lab", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T15:55:13.330338Z", "id": "CVE-2026-24062", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T15:55:32.532Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-24062", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-18T15:55:13.330338Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T15:53:47.428Z"}}], "cna": {"title": "Insufficient XPC Client validation leading to local privilege escalation in Arturia Software Center", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Florian Haselsteiner, SEC Consult Vulnerability Lab"}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "affected": [{"vendor": "Arturia", "product": "Software Center", "versions": [{"status": "affected", "version": "2.12.0.3157"}], "platforms": ["MacOS"], "defaultStatus": "unknown"}], "solutions": [{"lang": "en", "value": "The vendor was unresponsive and did not respond to any of our communication attempts. Therefore, a patch is not available. In case you are using this product, please approach the vendor and demand a fix.", "supportingMedia": [{"type": "text/html", "value": "<p>The vendor was unresponsive and did not respond to any of our communication attempts. Therefore, a patch is not available. In case you are using this product, please approach the vendor and demand a fix.</p>", "base64": false}]}], "references": [{"url": "https://r.sec-consult.com/arturia", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "The \"Privileged Helper\" component of the Arturia Software Center (MacOS) does not perform sufficient client code signature validation when a client connects.\u00a0This leads to an attacker being able to connect to the helper and execute privileged actions leading to local privilege escalation.", "supportingMedia": [{"type": "text/html", "value": "<p>The \"Privileged Helper\" component of the Arturia Software Center (MacOS) does not perform sufficient client code signature validation when a client connects.&nbsp;<span>This leads to an attacker being able to connect to the helper and execute privileged actions leading to local privilege escalation.</span></p><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306 Missing authentication for critical function"}]}], "providerMetadata": {"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "shortName": "SEC-VLab", "dateUpdated": "2026-03-18T15:24:07.985Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24062", "state": "PUBLISHED", "dateUpdated": "2026-03-18T15:55:32.532Z", "dateReserved": "2026-01-21T11:29:19.852Z", "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "datePublished": "2026-03-18T15:24:07.985Z", "assignerShortName": "SEC-VLab"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The \"Privileged Helper\" component of the Arturia Software Center (MacOS) does not perform sufficient client code signature validation when a client connects.\u00a0This leads to an attacker being able to connect to the helper and execute privileged actions leading to local privilege escalation."}], "id": "CVE-2026-24062", "lastModified": "2026-03-19T13:25:00.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-18T16:16:26.300", "references": [{"source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "url": "https://r.sec-consult.com/arturia"}], "sourceIdentifier": "551230f0-3615-47bd-b7cc-93e92e730bbf", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["macos"], "status": "affected", "versions": {"scheme": "generic", "value": "2.12.0.3157"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Software Center", "source": "cna", "vendor": "Arturia"}, "product": "software_center", "vendor": "arturia"}], "analysis": {"en": {"generated_at": "2026-03-18T17:20:48.921275+00:00", "value": {"mitigation_remediation": ["Contact Arturia and demand a fix from the vendor", "If a fix is not forthcoming, uninstall or disable Arturia Software Center to remove the vulnerable component", "Continuously monitor Arturia\u2019s website or release notes for any update and apply the patch immediately when it becomes available"], "summary": {"action": "Contact Vendor", "impact": "Local Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The affected product is Arturia Software Center for macOS. Specific version details are not provided, so all installations of the software may be vulnerable until an update is released.", "description_and_impact": "The vulnerability exists because the Privileged Helper component of Arturia Software Center on macOS does not properly validate the code signature of connecting XPC clients. This weakness allows a local attacker to connect to the helper and invoke privileged operations, effectively performing local privilege escalation. The issue is identified as a missing authentication of code (CWE-306).", "risk_and_exploitability": "The CVSS base score of 7.8 indicates a high severity, and the EPSS score is currently unavailable. The vulnerability is not listed in the CISA KEV catalog. Because the attack requires local access to the system and the ability to launch an XPC client against the helper, the threat is directed toward local users or processes. Without a vendor patch, the risk remains significant for any user running the software."}}}}, "created": "2026-03-19T08:56:32.795036+00:00", "updated": "2026-03-24T10:58:39.573974+00:00", "vendors": ["arturia", "arturia$PRODUCT$software_center"]}