Skip to main content

Apple Keychain CVE-2026-28860

| EUVDEUVD-2026-29221 HIGH
Improper Input Validation (CWE-20)
2026-05-11 apple GHSA-6p6x-vh8j-jf65
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 12, 2026 - 14:23 vuln.today
CVSS changed
May 12, 2026 - 14:22 NVD
7.5 (HIGH)
Patch available
May 11, 2026 - 22:03 EUVD
CVE Published
May 11, 2026 - 20:08 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:08 nvd
HIGH 7.5

DescriptionCVE.org

The issue was addressed with improved input validation. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. A local attacker may be able to modify the state of the Keychain.

AnalysisAI

Local attackers can modify Apple Keychain state across iOS, iPadOS, macOS, tvOS, visionOS, and watchOS due to improper input validation (CWE-20). This affects all Apple operating systems prior to their respective April 2026 security updates. Despite a CVSS score of 7.5, exploitation requires local access with specific privileges (description states 'local attacker'), contradicting the CVSS vector's AV:N/PR:N rating. EPSS score of 0.02% (7th percentile) indicates very low observed exploitation probability. No public exploit identified at time of analysis and not listed in CISA KEV. Vendor-released patches available across all platforms as of April 2026.

Technical ContextAI

This vulnerability affects Apple's Keychain subsystem, the OS-level credential management framework used across all Apple platforms for storing passwords, certificates, encryption keys, and other sensitive secrets. The root cause is improper input validation (CWE-20) when processing requests to modify Keychain state. Keychain operations typically require entitlements and process-level permissions, suggesting the vulnerability bypasses normal access controls through malformed input. The affected products span Apple's entire ecosystem: iOS/iPadOS (mobile), macOS Sequoia 15.x/Sonoma 14.x/Tahoe 26.x (desktop), tvOS (streaming devices), visionOS (spatial computing), and watchOS (wearables). The CPE strings confirm system-level impact across all product lines rather than a single application component.

RemediationAI

Apply vendor-released patches immediately: upgrade iOS/iPadOS devices to version 18.7.7 or 26.4, macOS Sequoia to 15.7.5, macOS Sonoma to 14.8.5, macOS Tahoe to 26.4, and tvOS/visionOS/watchOS to 26.4 as documented in Apple security advisories HT126792-HT126799 (https://support.apple.com/en-us/126792 through 126799). For devices that cannot be patched immediately, implement compensating controls: enforce full-disk encryption with strong passwords to raise local access barriers, enable FileVault on macOS and require device passcodes on iOS/iPadOS/watchOS (these do not prevent exploitation but limit attacker access to the device itself), restrict physical access to unattended devices, deploy Mobile Device Management (MDM) with remote wipe capabilities for lost/stolen devices, and monitor for unauthorized Keychain Access.app usage or keychain file modifications via endpoint detection tools. Note that disabling Keychain is not practical as it breaks password autofill, certificate management, and app authentication flows. Compensating controls only reduce attack surface by limiting local access opportunities, not the vulnerability itself.

Share

CVE-2026-28860 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy