Skip to main content

Apple iOS, macOS, visionOS, watchOS CVE-2026-28988

| EUVDEUVD-2026-29282 MEDIUM
Improper Access Control (CWE-284)
2026-05-11 apple GHSA-8pv7-gjvg-66w2
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 13, 2026 - 00:45 vuln.today
CVSS changed
May 12, 2026 - 22:22 NVD
5.5 (MEDIUM)
Patch available
May 11, 2026 - 22:18 EUVD
CVE Published
May 11, 2026 - 20:08 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:08 nvd
MEDIUM 5.5

DescriptionCVE.org

A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5, watchOS 26.5. An app may be able to bypass certain Privacy preferences.

AnalysisAI

Privacy bypass in Apple operating systems allows local authenticated apps to circumvent user-configured privacy restrictions through permission mishandling. The vulnerability affects iOS, iPadOS, macOS Tahoe, visionOS, and watchOS versions prior to 26.5. An attacker with local app execution privileges can access sensitive data classified as restricted by user privacy settings, though without authentication bypass or integrity compromise. Fixed in coordinated OS updates across Apple's ecosystem.

Technical ContextAI

The vulnerability stems from insufficient access control enforcement in Apple's privacy permission model, classified under CWE-284 (Improper Access Control-Permissions, Privileges, and Other Access Controls). The root cause involves inadequate restrictions on how apps interact with the privacy preferences system. While details are limited by Apple's disclosure practices, this reflects a common class of vulnerabilities where privilege boundaries or capability enforcement mechanisms fail to prevent unauthorized data access. The affected systems span multiple Apple platforms running kernel and framework code that enforces privacy sandboxing, suggesting a shared component or framework flaw across iOS, macOS, visionOS, and watchOS.

RemediationAI

Vendor-released patch: Update to iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5, or watchOS 26.5. For all affected platforms, navigate to Settings > General > Software Update (iOS/iPadOS/watchOS) or System Settings > General > Software Update (macOS/visionOS) and install the latest available version. Additional details on platform-specific security updates are available in Apple security advisories: https://support.apple.com/en-us/127110 (macOS), https://support.apple.com/en-us/127115 (iOS/iPadOS), https://support.apple.com/en-us/127119 (visionOS), https://support.apple.com/en-us/127120 (watchOS). No compensating controls mitigate the privacy bypass without patching; however, organizations can reduce exposure by restricting sideloaded app installation (macOS, iOS) and using Mobile Device Management (MDM) policies to enforce App Store-only distribution on managed devices.

Share

CVE-2026-28988 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy