New macOS Flaw Allows Users to Disable Security Tools Without Admin Rights

Researchers at XM Cyber have identified a macOS vulnerability that enables standard user accounts to disable enterprise security tools without requiring administrator credentials. This technique exploits the way macOS validates application trust, allowing attackers to impersonate trusted components and invoke privileged functions. The flaw affects major security products, including CrowdStrike Falcon and Kandji MDM, and does not require kernel exploits or trigger alerts. XM Cyber's tool, XPC Hunter, will be presented at Black Hat USA in August 2026 to help identify similar vulnerabilities. Kandji has patched the issue and assigned CVE-2026-39118, published on June 15, 2026. The vulnerability poses a significant risk to organizations relying on macOS for security. Apple has yet to respond or publish an advisory regarding this issue.

Key Points: • Standard user accounts can disable enterprise security tools on macOS without admin rights. • The vulnerability exploits macOS's trust validation process, affecting major products like CrowdStrike Falcon. • Kandji has patched the issue, assigning CVE-2026-39118, but the flaw may impact other applications.