CVE-2026-24068

Name of the Vulnerable Software and Affected Versions Vienna Assistant (affected versions not specified)

Description The Vienna Assistant privileged helper utilizes NSXPC for Inter-Process Communication (IPC). The implementation of the shouldAcceptNewConnection function, used by the NSXPC framework to validate client connections to the XPC listener, does not perform any client validation. This allows any process to connect to the service using the configured protocol and call all functions defined in the HelperToolProtocol. Specifically, the functions writeReceiptFile and runUninstaller within the HelperToolProtocol lack validation, enabling an attacker to write files to any location with arbitrary data and execute any file with any arguments. The absence of XPC client validation allows any process to invoke these functions, leading to privilege escalation. The vendor was unresponsive and did not provide a patch.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.