Skip to main content

Apple CVE-2026-28877

| EUVDEUVD-2026-15155 MEDIUM
Information Exposure (CWE-200)
2026-03-25 apple
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
26.4,15.7.5
EUVD ID Assigned
Mar 25, 2026 - 01:00 euvd
EUVD-2026-15155
Analysis Generated
Mar 25, 2026 - 01:00 vuln.today
CVE Published
Mar 25, 2026 - 00:32 nvd
MEDIUM 5.5

DescriptionCVE.org

An authorization issue was addressed with improved state management. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Tahoe 26.4, visionOS 26.4, watchOS 26.4. An app may be able to access sensitive user data.

AnalysisAI

An authorization bypass vulnerability in Apple's operating systems allows third-party applications to access sensitive user data through improper state management during authorization checks. The vulnerability affects iOS/iPadOS 26.4 and earlier, macOS Sequoia 15.7.5 and earlier, macOS Tahoe 26.4 and earlier, visionOS 26.4 and earlier, and watchOS 26.4 and earlier across multiple Apple devices and platforms. An attacker can exploit this by crafting a malicious application that circumvents authorization controls to read protected user information without explicit user consent. No CVSS score, EPSS probability, or active exploitation status has been disclosed by Apple, though the vulnerability spans all major Apple operating systems indicating broad platform impact.

Technical ContextAI

The vulnerability exists in Apple's authorization and permission management framework, which enforces user data access controls across iOS, iPadOS, macOS, visionOS, and watchOS platforms as identified by CPE strings (cpe:2.3:a:apple:ios_and_ipados, cpe:2.3:a:apple:macos, cpe:2.3:a:apple:visionos, cpe:2.3:a:apple:watchos). The root cause is classified as an information disclosure issue stemming from improper state management in the authorization subsystem. The vulnerability allows applications running on these platforms to maintain or reuse valid authorization states beyond their intended scope or duration, enabling unauthorized access to sensitive user data such as contacts, location, photos, health data, or other protected resources normally gated by iOS/macOS permission prompts. This is a state-management weakness rather than a cryptographic or network protocol flaw, making it a logical authorization control bypass at the OS level.

RemediationAI

Immediate upgrade to patched versions is required across all Apple devices: upgrade to iOS/iPadOS 26.4 or later, macOS Sequoia 15.7.5 or later, macOS Tahoe 26.4 or later, visionOS 26.4 or later, and watchOS 26.4 or later. Updates can be obtained through Settings > General > Software Update on each device type. Until patching is completed, users should audit installed third-party applications and remove or disable any apps from untrusted sources that request sensitive permissions such as location, contacts, photos, or health data. IT administrators should enforce automatic OS updates via Mobile Device Management (MDM) on managed iOS/iPadOS devices and enable automatic macOS updates through System Settings > General > Software Update > Automatic Updates. For Vision Pro and Watch deployments, enable automatic updates through the companion iPhone or Mac. Additionally, review application permissions regularly (iOS: Settings > Privacy, macOS: System Settings > Privacy & Security) and disable unnecessary permissions until patches are applied. See Apple's official advisory links for detailed patch notes.

Share

CVE-2026-28877 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy