Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. An app may be able to enumerate a user's installed apps.
AnalysisAI
A permissions enforcement vulnerability in Apple's operating systems allows third-party applications to enumerate installed applications on a user's device without proper authorization. This information disclosure issue affects iOS, iPadOS, macOS, and visionOS versions prior to 26.4, enabling attackers to gain insight into a user's software ecosystem for profiling or targeting purposes. Apple has addressed this with additional access restrictions in the patched versions, though no CVSS score, EPSS data, or known active exploitation has been publicly disclosed.
Technical ContextAI
This vulnerability stems from inadequate permission validation in the application query mechanisms across Apple's operating system stack. The affected CPE strings—cpe:2.3:a:apple:ios_and_ipados, cpe:2.3:a:apple:macos, and cpe:2.3:a:apple:visionos—indicate the issue exists in core OS-level APIs that handle app enumeration and sandbox enforcement. While no specific CWE is publicly listed, the root cause aligns with CWE-276 (Incorrect Default Permissions) or CWE-732 (Incorrect Permission Assignment for Critical Resource), as the vulnerability involves insufficient restriction on access to the system's application inventory. The fix required 'additional restrictions' on permissions, suggesting Apple's original permission model did not adequately gate access to queryable app data.
RemediationAI
Immediately upgrade to iOS 26.4, iPadOS 26.4, macOS Tahoe 26.4, or visionOS 26.4 as appropriate for your affected devices. Apple's security updates are available through Settings > General > Software Update on iOS/iPadOS/visionOS, and System Settings > General > Software Update on macOS; enable automatic updates if not already configured. For enterprise deployments, use Mobile Device Management (MDM) or Mac management tools to enforce and track patch compliance. Until patching is complete, reduce app permissions granted to untrusted applications by reviewing Settings > Privacy & Security (on iOS/iPadOS) or System Settings > Privacy & Security (on macOS), and consider restricting app installation from untrusted sources. Consult Apple Support documents at https://support.apple.com/en-us/126792, https://support.apple.com/en-us/126794, and https://support.apple.com/en-us/126799 for version-specific guidance.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15103