How is CVE-2026-22926 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network-facing exposure is required to trigger this vulnerability. Authentication (required): Any low-privilege local account is sufficient; the attacker does not need administrative or root credentials to initiate the exploit. Victim interaction (not-required): No user action such as clicking a link or opening a file is needed; the attacker can exploit the vulnerability without any victim participation. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.

What is the impact of CVE-2026-22926?

Reads sensitive files, credentials, and secrets accessible on the host, including those normally restricted to root or privileged users. Modifies or overwrites system files, configuration, and persisted application data across the host. Crashes or terminates system services, rendering the affected macOS endpoint unavailable. Establishes persistent elevated access that survives reboots or user session changes.

Back to search

HIGHCVE-2026-22926Published 2026-06-09Modified 2026-06-10CNA Omnissa

CVE-2026-22926: Omnissa Workspace ONE® Assist for macOS contains a Local Privilege Escalation Vulnerability

Omnissa Workspace ONE® Assist for macOS contains a Local Privilege Escalation Vulnerability.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A local privilege escalation vulnerability affects Omnissa Workspace ONE Assist for macOS. The vulnerability is reached locally, meaning an attacker must already have a low-privilege account or process on the host, and no additional authentication beyond that is required. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability on the affected system, effectively elevating to root or equivalent privileges. No fix version has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as upstream ships a fix.

HarborGuard Coverage

Detection

Detection for this CVE is available across every HarborGuard environment. The CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built macOS-targeting container images, in connected registries and CI/CD pipelines.

Available

Triage

Triage capability is available with the CVSS v3.1 score of 7.8 (HIGH), weighted against each customer's per-environment compliance policy to ensure the finding is routed to the appropriate team inbox within each organization.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream fix is released. In the interim, the finding remains open and surfaced in each environment's vulnerability dashboard.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network-facing exposure is required to trigger this vulnerability.
AuthenticationRequired
Any low-privilege local account is sufficient; the attacker does not need administrative or root credentials to initiate the exploit.
Victim interactionNot required
No user action such as clicking a link or opening a file is needed; the attacker can exploit the vulnerability without any victim participation.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.

Blast Radius

Reads sensitive files, credentials, and secrets accessible on the host, including those normally restricted to root or privileged users.
Modifies or overwrites system files, configuration, and persisted application data across the host.
Crashes or terminates system services, rendering the affected macOS endpoint unavailable.
Establishes persistent elevated access that survives reboots or user session changes.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively monitored with no upstream fix currently published for any affected version of Omnissa Workspace ONE Assist for macOS (versions prior to 25.11.1, 25.09.1, 25.02.2, and 24.11.2). HarborGuard re-evaluates the advisory on every ingest cycle; the moment Omnissa publishes a patched release, a rebuilt image at the fixed version becomes available, and customers with auto-remediation enabled will automatically receive a regression-test run and a PR opened against affected workloads. In the interim, compensating controls worth evaluating include restricting local user account provisioning on macOS endpoints running Workspace ONE Assist, applying network-policy isolation to limit lateral movement in the event a low-privilege account is compromised, and using endpoint privilege management tooling to constrain privilege escalation paths on affected hosts.

See how HarborGuard automates this

Affected packages

Omnissa / Omnissa Workspace ONE® Assist for macOS
Omnissa Workspace ONE® Assist for macOS version prior to 25.11.1 · Omnissa Workspace ONE® Assist for macOS version prior to 25.09.1 · Omnissa Workspace ONE® Assist for macOS version prior to 25.02.2 · Omnissa Workspace ONE® Assist for macOS version prior to 24.11.2

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified