Security bulletins

Security notifications about the OrbStack app or services.

If you think you've found a vulnerability or other security issue, please contact us. We also have a security.txt.

ORB-2024-001

Published: April 16, 2025

Fixed: v1.9.0 (December 9, 2024)

Reported by: Jacopo Jannone (@jacopoj_) on December 7, 2024

Description: By default, macOS home directories have permissions 750 which allows other users in the group staff to read files in the home directory. This means that files not in Desktop/Documents/etc., such as dotfiles and anything else added to the home directory, that have the default 755 permissions will be readable by other users. As a result, OrbStack's shared machine/container files at ~/OrbStack were readable by other users.

To fix this, we've tightened the permissions to 700 to match the default macOS data folders and ensure that other users can't read shared OrbStack files.