Skip to main content

Apple EUVDEUVD-2026-15139

| CVE-2026-28863 MEDIUM
Improper Access Control (CWE-284)
2026-03-25 apple GHSA-9q9v-gcpr-jqgv
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
26.4
EUVD ID Assigned
Mar 25, 2026 - 01:00 euvd
EUVD-2026-15139
Analysis Generated
Mar 25, 2026 - 01:00 vuln.today
CVE Published
Mar 25, 2026 - 00:32 nvd
MEDIUM 6.5

DescriptionCVE.org

A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26.4 and iPadOS 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to fingerprint the user.

AnalysisAI

A permissions issue across Apple's ecosystem allows applications to fingerprint users by accessing information that should be restricted. The vulnerability affects iOS and iPadOS versions prior to 26.4, tvOS prior to 26.4, visionOS prior to 26.4, and watchOS prior to 26.4. Attackers can exploit this by deploying a malicious app that leverages inadequate permission restrictions to collect device and user identifiers for tracking and profiling purposes. The issue has been addressed by Apple through additional permission restrictions in the patched versions, indicating this is a known vulnerability with an available fix.

Technical ContextAI

This vulnerability stems from insufficient permission controls in Apple's operating systems that govern application access to user identification data. The CWE category of Information Disclosure indicates that the root cause involves unauthorized access to sensitive information through inadequate permission enforcement. The affected CPEs span multiple Apple platforms (iOS/iPadOS, tvOS, visionOS, and watchOS), suggesting a systemic permission architecture issue rather than platform-specific implementation flaws. The fingerprinting capability exploits the absence of proper gating mechanisms that should restrict which applications can access identifiers used for user tracking, device identification, or cross-application correlation.

RemediationAI

Update to iOS and iPadOS version 26.4 or later, tvOS version 26.4 or later, visionOS version 26.4 or later, and watchOS version 26.4 or later as soon as possible. These updates implement additional permission restrictions that prevent unauthorized fingerprinting. Users should enable automatic updates in their device settings to receive security patches immediately upon release. In environments where immediate patching is not feasible, implement app vetting procedures to restrict installation of applications from untrusted sources, and consider using Mobile Device Management (MDM) solutions to enforce security policies and restrict app installations. Review installed applications for suspicious behavior or unfamiliar permissions requests related to device identifiers or user tracking capabilities.

Share

EUVD-2026-15139 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy