Skip to main content

macOS Gatekeeper CVE-2026-28954

| EUVDEUVD-2026-29259 HIGH
Authentication Bypass by Spoofing (CWE-290)
2026-05-11 apple GHSA-c44j-w46w-v5rw
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 12, 2026 - 14:27 vuln.today
CVSS changed
May 12, 2026 - 14:22 NVD
7.5 (HIGH)
Patch available
May 11, 2026 - 22:18 EUVD
CVE Published
May 11, 2026 - 20:07 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:07 nvd
HIGH 7.5

DescriptionCVE.org

A file quarantine bypass was addressed with additional checks. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. A maliciously crafted disk image may bypass Gatekeeper checks.

AnalysisAI

macOS Gatekeeper can be bypassed using specially crafted disk images, allowing unauthenticated remote attackers to execute untrusted code without security warnings across iOS, iPadOS, and all supported macOS versions. Apple has released patches addressing this authentication bypass in macOS Tahoe 26.5, Sequoia 15.7.7, Sonoma 14.8.7, iOS 18.7.9, and iPadOS 18.7.9. Despite the CVSS 7.5 HIGH rating, EPSS probability remains very low at 0.02% (5th percentile), suggesting limited immediate exploitation risk, though the attack requires no special conditions and could be delivered via common distribution channels like email or web downloads.

Technical ContextAI

Apple Gatekeeper is macOS's security feature implementing file quarantine (com.apple.quarantine extended attribute) to verify downloaded files against known malware signatures and developer certificates before execution. This vulnerability (CWE-290: Authentication Bypass by Spoofing) indicates that disk image (.dmg) files can be constructed to evade the quarantine checks that normally trigger certificate validation and security prompts. The bypass affects the quarantine enforcement mechanism itself rather than signature verification, allowing malicious disk images to execute without user warnings. Affected products span Apple's entire ecosystem: iOS and iPadOS (mobile devices), macOS Sonoma 14.x (2023 release), macOS Sequoia 15.x (2024 release), and macOS Tahoe 26.x (2025/2026 release), indicating a fundamental flaw in Apple's file quarantine implementation shared across platforms.

RemediationAI

Apply vendor-released patches immediately: upgrade to iOS 18.7.9 or iPadOS 18.7.9 for mobile devices, macOS Sonoma 14.8.7 for 2023-era systems, macOS Sequoia 15.7.7 for 2024-era systems, or macOS Tahoe 26.5 for 2025/2026-era systems as documented in Apple security advisories HT127111, HT127115, HT127116, and HT127117 (https://support.apple.com/en-us/127111 and related URLs). For environments where immediate patching is not feasible, implement the following compensating controls: disable automatic disk image mounting in Finder preferences (Preferences > General > uncheck 'Open Safe Files') to prevent auto-execution, configure email gateway filtering to block .dmg file attachments or quarantine them for manual security review (may impact legitimate software distribution workflows), and deploy endpoint detection solutions to monitor quarantine attribute manipulation attempts via extended attribute changes to com.apple.quarantine. User awareness training should emphasize verifying disk image sources before mounting and checking for valid Apple Notarization using 'spctl --assess -v' command-line validation before opening downloaded DMG files from untrusted sources, though this manual verification adds significant operational overhead for non-technical users.

Share

CVE-2026-28954 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy