CVE-2026-2638

Description

A vulnerability in the quarantine and restore workflow of the X-VPN macOS website versions 77.0 through 77.5 allow a local attacker to leverage a race condition and symlink manipulation to achieve privileged file corruption.

CVSS breakdown

CVSS 4.0

Attack Vector

Local

Attack Complexity

Low

Attack Requirements

Present

Privileges Required

Low

User Interaction

None

Confidentiality (Vulnerable System)

High

Integrity (Vulnerable System)

High

Availability (Vulnerable System)

High

Confidentiality (Subsequent System)

None

Integrity (Subsequent System)

None

Availability (Subsequent System)

None

Affected products

X-VPN / X-VPN macOS website77.0 – 77.5

References

VENDOR_ADVISORYhttps://fluidattacks.com/es/advisories/soad
MISChttps://xvpn.io/resources/statement-local-privilege-escalation-vulnerability
MISChttps://xvpn.io/download/vpn-mac
MISChttps://xvpn.io/