Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
An information leakage was addressed with additional validation. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to access sensitive user data.
AnalysisAI
An information leakage vulnerability affecting Apple's operating systems across multiple platforms (iOS, iPadOS, macOS, tvOS, visionOS, and watchOS) allows third-party applications to access sensitive user data through insufficient validation mechanisms. The vulnerability impacts all versions prior to the 26.4 release across affected platforms, enabling malicious or compromised applications to bypass access controls and exfiltrate private user information. While no CVSS score, EPSS data, or active exploitation in the wild has been publicly disclosed, the breadth of affected platforms and the fundamental nature of information disclosure vulnerabilities suggest moderate to significant real-world risk.
Technical ContextAI
This vulnerability represents an information disclosure flaw rooted in inadequate input validation or access control mechanisms within Apple's operating system kernels and system frameworks. The affected platforms—iOS/iPadOS (cpe:2.3:a:apple:ios_and_ipados:*:*:*:*:*:*:*:*), macOS (cpe:2.3:a:apple:macos:*:*:*:*:*:*:*:*), tvOS (cpe:2.3:a:apple:tvos:*:*:*:*:*:*:*:*), visionOS (cpe:2.3:a:apple:visionos:*:*:*:*:*:*:*:*), and watchOS (cpe:2.3:a:apple:watchos:*:*:*:*:*:*:*:*)—all share common system-level architecture where application sandboxing and data access controls are enforced. The root cause likely falls within CWE categories related to improper access control or information exposure, suggesting that the validation logic governing which applications can access certain user data or system resources was insufficiently restrictive, allowing unauthorized data access by third-party applications operating within the sandboxed environment.
RemediationAI
Immediately upgrade all affected Apple devices to version 26.4 or later for their respective operating systems: iOS 26.4, iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, and watchOS 26.4. Organizations should prioritize devices handling sensitive personal or health data, financial information, or enterprise credentials. Enable automatic security updates in Settings to ensure rapid deployment of future patches. Consult the platform-specific Apple security advisories at https://support.apple.com/en-us/126792 through https://support.apple.com/en-us/126799 for detailed upgrade instructions and any version-specific considerations. Until patching is feasible, audit installed third-party applications and uninstall or restrict permissions for applications requesting access to sensitive data categories, though this is a workaround and not a substitute for patching.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15148
GHSA-4c59-fwcr-3f7g