Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. An app may be able to cause a denial-of-service.
AnalysisAI
Confidentiality breach in Apple's operating systems (iOS, iPadOS, macOS, tvOS, visionOS, watchOS) allows remote unauthenticated attackers to access high-sensitivity information through improper access control checks. Despite the vendor description indicating denial-of-service impact, the CVSS vector reveals a severe confidentiality compromise (C:H) with network-accessible attack surface requiring no authentication. Apple has patched all affected platforms in coordinated security updates released across six operating systems. EPSS score of 0.02% suggests low observed exploitation probability, and no public exploit code has been identified at time of analysis.
Technical ContextAI
This vulnerability stems from CWE-284 (Improper Access Control), indicating insufficient authorization enforcement in Apple's cross-platform framework components. The affected technology spans Apple's entire ecosystem: iOS/iPadOS mobile devices, macOS desktop/laptop systems (both Sequoia and newer Tahoe branches), tvOS streaming devices, visionOS spatial computing platform, and watchOS wearables. The CPE strings confirm application-layer vulnerabilities rather than kernel-level flaws. The root cause involves inadequate validation of authorization checks before granting access to sensitive resources or data, allowing applications to bypass intended security boundaries. Apple's fix involved 'improved checks to prevent unauthorized actions,' suggesting the addition of missing authorization gates or strengthening of existing permission validation logic in shared framework code deployed across all platforms.
RemediationAI
Apply vendor-released patches immediately: upgrade iOS and iPadOS to version 26.5, macOS Sequoia to version 15.7.7, macOS Tahoe to version 26.5, tvOS to version 26.5, visionOS to version 26.5, and watchOS to version 26.5. Updates are available through standard Apple software update mechanisms for each platform. Consult platform-specific security advisories at https://support.apple.com/en-us/127110 (iOS/iPadOS), https://support.apple.com/en-us/127115 (macOS Sequoia), https://support.apple.com/en-us/127116 (macOS Tahoe), https://support.apple.com/en-us/127118 (tvOS), https://support.apple.com/en-us/127119 (visionOS), and https://support.apple.com/en-us/127120 (watchOS). No workarounds are documented. As a compensating control until patching, restrict installation of third-party applications to trusted sources only and enforce mobile device management policies that limit app installation permissions, though this significantly impacts device usability and does not prevent exploitation by apps already installed or distributed through official app stores.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29274
GHSA-xxh7-j8v2-g57f