2432045 – (CVE-2025-15523) CVE-2025-15523 inkscape: TCC Bypass via Inherited Permissions in Bundled Interpreter in Inkscape.app

Bug 2432045 (CVE-2025-15523) - CVE-2025-15523 inkscape: TCC Bypass via Inherited Permissions in Bundled Interpreter in Inkscape.app

Summary: CVE-2025-15523 inkscape: TCC Bypass via Inherited Permissions in Bundled Inte...

Keywords:
Status:	NEW
Alias:	CVE-2025-15523
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-22 15:01 UTC by OSIDB Bzimport
Modified:	2026-01-27 19:41 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-01-22 15:01:35 UTC

MacOS version of Inkscape bundles a Python interpreter that inherits the Transparency, Consent, and Control (TCC) permissions
granted by the user to the main application bundle. An attacker with local user access can
invoke this interpreter with arbitrary commands or scripts, leveraging the
application's previously granted TCC permissions to access user's files in privacy-protected folders without triggering user prompts. Accessing other resources beyond previously granted TCC permissions will prompt the user for approval in the name of Inkscape, potentially disguising attacker's malicious intent.

This issue has been fixed in 1.4.3 version of Inkscape.

Note You need to log in before you can comment on or make changes to this bug.