PatchSiren cyber security CVE debrief
CVE-2026-24063 Arturia CVE debrief
This CVE describes a privilege escalation vulnerability in Arturia Software Center on macOS. When a plugin is installed, an uninstall.sh bash script is written to a root-owned path with overly permissive file permissions (777), making it writable by any user. The Arturia Software Center's Privileged Helper executes this script during plugin uninstallation. An attacker with local access can modify the script to execute arbitrary commands with elevated privileges. The vulnerability has a CVSS 3.1 score of 8.2 (HIGH severity) with attack vector LOCAL, low attack complexity, low privileges required, and user interaction required. The confidentiality, integrity, and availability impacts are all HIGH. The weakness is categorized as CWE-276 (Incorrect Default Permissions). The CVE was published on March 18, 2026 and last modified on May 19, 2026. The vulnerability status in NVD is currently 'Deferred'.
- Vendor
- Arturia
- Product
- Software Center
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-18
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-03-18
- Advisory updated
- 2026-05-19
Who should care
Organizations with macOS endpoints running Arturia Software Center for audio plugin management; security teams responsible for endpoint protection on creative workstations; system administrators managing multi-user macOS environments with audio production software.
Technical summary
The vulnerability stems from insecure file permissions (777/world-writable) on uninstall.sh scripts deployed by Arturia Software Center during plugin installation. These scripts reside in root-owned paths but can be modified by any local user. When plugin uninstallation is triggered through the Arturia Software Center, the application's Privileged Helper tool executes the compromised script with elevated privileges, resulting in arbitrary code execution as root. The attack requires local access and user interaction to trigger the uninstallation process, but the script modification can occur at any prior time.
Defensive priority
HIGH
Recommended defensive actions
- Audit all Arturia Software Center installations on macOS endpoints for world-writable uninstall.sh scripts in plugin directories
- Review file permissions on any Arturia-related paths under /Library or /Applications
- Monitor for unauthorized modifications to uninstall.sh scripts using file integrity monitoring
- Restrict non-administrative user access to Arturia Software Center until patches are available
- Apply vendor updates from Arturia when security patches are released
- Review system logs for unexpected executions of uninstall.sh scripts
- Implement principle of least privilege for software installation tools
Evidence notes
The vulnerability description is sourced from NVD with reference to SEC Consult research. The CVSS vector confirms local attack vector with high impacts across confidentiality, integrity, and availability.
Official resources
-
CVE-2026-24063 CVE record
CVE.org
-
CVE-2026-24063 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
551230f0-3615-47bd-b7cc-93e92e730bbf
The vulnerability was disclosed by SEC Consult, with advisory reference available.