Skip to main content

Apple CVE-2026-28833

| EUVDEUVD-2026-15103 MEDIUM
Improper Access Control (CWE-284)
2026-03-25 apple
6.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.2 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
26.4
EUVD ID Assigned
Mar 25, 2026 - 01:00 euvd
EUVD-2026-15103
Analysis Generated
Mar 25, 2026 - 01:00 vuln.today
CVE Published
Mar 25, 2026 - 00:35 nvd
MEDIUM 6.2

DescriptionCVE.org

A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. An app may be able to enumerate a user's installed apps.

AnalysisAI

A permissions enforcement vulnerability in Apple's operating systems allows third-party applications to enumerate installed applications on a user's device without proper authorization. This information disclosure issue affects iOS, iPadOS, macOS, and visionOS versions prior to 26.4, enabling attackers to gain insight into a user's software ecosystem for profiling or targeting purposes. Apple has addressed this with additional access restrictions in the patched versions, though no CVSS score, EPSS data, or known active exploitation has been publicly disclosed.

Technical ContextAI

This vulnerability stems from inadequate permission validation in the application query mechanisms across Apple's operating system stack. The affected CPE strings—cpe:2.3:a:apple:ios_and_ipados, cpe:2.3:a:apple:macos, and cpe:2.3:a:apple:visionos—indicate the issue exists in core OS-level APIs that handle app enumeration and sandbox enforcement. While no specific CWE is publicly listed, the root cause aligns with CWE-276 (Incorrect Default Permissions) or CWE-732 (Incorrect Permission Assignment for Critical Resource), as the vulnerability involves insufficient restriction on access to the system's application inventory. The fix required 'additional restrictions' on permissions, suggesting Apple's original permission model did not adequately gate access to queryable app data.

RemediationAI

Immediately upgrade to iOS 26.4, iPadOS 26.4, macOS Tahoe 26.4, or visionOS 26.4 as appropriate for your affected devices. Apple's security updates are available through Settings > General > Software Update on iOS/iPadOS/visionOS, and System Settings > General > Software Update on macOS; enable automatic updates if not already configured. For enterprise deployments, use Mobile Device Management (MDM) or Mac management tools to enforce and track patch compliance. Until patching is complete, reduce app permissions granted to untrusted applications by reviewing Settings > Privacy & Security (on iOS/iPadOS) or System Settings > Privacy & Security (on macOS), and consider restricting app installation from untrusted sources. Consult Apple Support documents at https://support.apple.com/en-us/126792, https://support.apple.com/en-us/126794, and https://support.apple.com/en-us/126799 for version-specific guidance.

Share

CVE-2026-28833 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy