## Tailscale macOS XPC Service 'Downloader' Exposed: Missing Client Validation Allows Local App Access
A critical security flaw has been identified in the Tailscale macOS application, exposing an internal XPC service to any local program. The service, named "Downloader," lacks the mandatory `SMAuthorizedClients` validation, effectively removing the authentication barrier. This omission allows any application running on the same macOS system to connect directly to this privileged service and invoke its methods, creating a significant local privilege escalation vector.

The vulnerability, classified as CWE-287 (Improper Authentication), stems from the service's configuration file, which shows an empty or entirely missing `SMAuthorizedClients` array. This configuration defect means the service fails to verify the identity or authorization of connecting clients. The flaw was reported via a GitHub issue after the researcher was unable to contact Tailscale's security email, as specified in the company's SECURITY.md policy, highlighting potential gaps in the standard disclosure process.

With a CVSS v3.1 score of 6.5 (Medium severity), the risk is confined to the local attack surface but carries high impact on integrity. The vector (`AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N`) indicates that a low-privileged attacker could leverage this to perform high-integrity attacks without user interaction, potentially altering system state or application data. This exposure places Tailscale's enterprise and individual users at risk until a patch is issued, underscoring the importance of rigorous security audits for privileged helper tools in widely deployed networking software.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: macOS, XPC, Security Vulnerability, Privilege Escalation, CWE-287
- **Credibility**: unverified
- **Published**: 2026-03-29 14:27:01
- **ID**: 39896
- **URL**: https://whisperx.ai/en/intel/39896