Skip to main content

Safari CVE-2026-20691

| EUVDEUVD-2026-15062 MEDIUM
Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497)
2026-03-25 apple GHSA-rqx2-8fr2-c94c
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
SUSE
MEDIUM
qualitative
Red Hat
4.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Apr 09, 2026 - 14:30 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 01:00 euvd
EUVD-2026-15062
Analysis Generated
Mar 25, 2026 - 01:00 vuln.today
CVE Published
Mar 25, 2026 - 00:35 nvd
MEDIUM 4.3

DescriptionCVE.org

An authorization issue was addressed with improved state management. This issue is fixed in Safari 26.4, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4, watchOS 26.4. A maliciously crafted webpage may be able to fingerprint the user.

AnalysisAI

An authorization and state management flaw in Apple's WebKit browser engine allows maliciously crafted webpages to fingerprint users by exploiting improper state handling during web interactions. This vulnerability affects Safari 26.4, iOS 26.4, iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4, and watchOS 26.4 across all Apple platforms. An attacker can exploit this by hosting a specially crafted webpage that leverages the state management weakness to extract browser or device identifiers without user knowledge, enabling user tracking and profiling attacks. No CVSS score, EPSS data, or public proof-of-concept details are currently available, though Apple has released fixes across all affected platforms.

Technical ContextAI

This vulnerability resides in WebKit, Apple's rendering engine used across Safari, iOS Safari, and other Apple platforms (confirmed via multiple CPE entries: cpe:2.3:a:apple:safari, cpe:2.3:a:apple:ios_and_ipados, cpe:2.3:a:apple:macos, cpe:2.3:a:apple:visionos, cpe:2.3:a:apple:watchos). The root cause is classified as an authorization issue exacerbated by inadequate state management—likely related to how the browser maintains and validates security-critical state during cross-origin interactions or session handling. Rather than a traditional authentication bypass, this appears to be an information disclosure vulnerability where improper state validation allows a webpage to infer or extract device/browser fingerprinting data that should remain hidden or require explicit authorization.

RemediationAI

Immediately upgrade Safari to version 26.4 or later, iOS to version 26.4 or later, iPadOS to version 26.4 or later, macOS to Tahoe 26.4 or later, visionOS to version 26.4 or later, and watchOS to version 26.4 or later depending on affected devices. Users should enable automatic security updates in Settings > General > Software Update > Automatic Updates (iOS/iPadOS/watchOS) or System Settings > General > Software Update (macOS) to ensure timely patching. Until updates are applied, users concerned about fingerprinting should enable Safari's Privacy Mode or use enhanced tracking prevention settings; however, this does not fully mitigate the vulnerability as it relates to state management issues rather than traditional tracking. Organizations managing Apple devices should deploy Mobile Device Management (MDM) or Mac Management profiles to enforce automatic OS and Safari updates across their fleet. Consult the official Apple security advisories linked in the affected products section for platform-specific patch details.

More in Safari

View all
CVE-2017-2547 HIGH POC
8.8 May 22

An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi

CVE-2014-1303 CRITICAL POC
10.0 Mar 26

Heap-based buffer overflow in Apple Safari 7.0.2 allows remote attackers to execute arbitrary code and bypass a sandbox

CVE-2023-43000 HIGH POC
8.8 Nov 05

A use-after-free issue was addressed with improved memory management. Rated high severity (CVSS 8.8), this vulnerability

CVE-2016-4622 HIGH
8.8 Jul 22

WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to execute arbitrar

CVE-2015-1155 MEDIUM POC
4.3 May 08

The history implementation in WebKit, as used in Apple Safari before 6.2.6, 7.x before 7.1.6, and 8.x before 8.0.6, allo

CVE-2015-1126 MEDIUM POC
4.3 Apr 10

WebKit, as used in Apple iOS before 8.3 and Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5, does not

CVE-2017-2446 HIGH POC
8.8 Apr 02

An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi

CVE-2017-13802 HIGH POC
8.8 Nov 13

An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi

CVE-2017-13795 HIGH POC
8.8 Nov 13

An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi

CVE-2017-13794 HIGH POC
8.8 Nov 13

An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi

CVE-2017-13792 HIGH POC
8.8 Nov 13

An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi

CVE-2017-13785 HIGH POC
8.8 Nov 13

An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Server for SAP Applications 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

CVE-2026-20691 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy