Skip to main content

Apple CVE-2026-28870

| EUVDEUVD-2026-15148 MEDIUM
2026-03-25 apple GHSA-4c59-fwcr-3f7g
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
26.4
EUVD ID Assigned
Mar 25, 2026 - 01:00 euvd
EUVD-2026-15148
Analysis Generated
Mar 25, 2026 - 01:00 vuln.today
CVE Published
Mar 25, 2026 - 00:31 nvd
MEDIUM 5.5

DescriptionCVE.org

An information leakage was addressed with additional validation. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to access sensitive user data.

AnalysisAI

An information leakage vulnerability affecting Apple's operating systems across multiple platforms (iOS, iPadOS, macOS, tvOS, visionOS, and watchOS) allows third-party applications to access sensitive user data through insufficient validation mechanisms. The vulnerability impacts all versions prior to the 26.4 release across affected platforms, enabling malicious or compromised applications to bypass access controls and exfiltrate private user information. While no CVSS score, EPSS data, or active exploitation in the wild has been publicly disclosed, the breadth of affected platforms and the fundamental nature of information disclosure vulnerabilities suggest moderate to significant real-world risk.

Technical ContextAI

This vulnerability represents an information disclosure flaw rooted in inadequate input validation or access control mechanisms within Apple's operating system kernels and system frameworks. The affected platforms—iOS/iPadOS (cpe:2.3:a:apple:ios_and_ipados:*:*:*:*:*:*:*:*), macOS (cpe:2.3:a:apple:macos:*:*:*:*:*:*:*:*), tvOS (cpe:2.3:a:apple:tvos:*:*:*:*:*:*:*:*), visionOS (cpe:2.3:a:apple:visionos:*:*:*:*:*:*:*:*), and watchOS (cpe:2.3:a:apple:watchos:*:*:*:*:*:*:*:*)—all share common system-level architecture where application sandboxing and data access controls are enforced. The root cause likely falls within CWE categories related to improper access control or information exposure, suggesting that the validation logic governing which applications can access certain user data or system resources was insufficiently restrictive, allowing unauthorized data access by third-party applications operating within the sandboxed environment.

RemediationAI

Immediately upgrade all affected Apple devices to version 26.4 or later for their respective operating systems: iOS 26.4, iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, and watchOS 26.4. Organizations should prioritize devices handling sensitive personal or health data, financial information, or enterprise credentials. Enable automatic security updates in Settings to ensure rapid deployment of future patches. Consult the platform-specific Apple security advisories at https://support.apple.com/en-us/126792 through https://support.apple.com/en-us/126799 for detailed upgrade instructions and any version-specific considerations. Until patching is feasible, audit installed third-party applications and uninstall or restrict permissions for applications requesting access to sensitive data categories, though this is a workaround and not a substitute for patching.

Share

CVE-2026-28870 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy