Skip to main content

iOS and iPadOS EUVDEUVD-2026-29223

| CVE-2026-28873 HIGH
Incorrect Authorization (CWE-863)
2026-05-11 apple GHSA-f5rg-6cw8-4phq
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 13, 2026 - 15:53 vuln.today
CVSS changed
May 13, 2026 - 15:52 NVD
7.5 (HIGH)
Patch available
May 11, 2026 - 22:03 EUVD
CVE Published
May 11, 2026 - 20:08 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:08 nvd
HIGH 7.5

DescriptionCVE.org

This issue was addressed with additional entitlement checks. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.4 and iPadOS 26.4. An app may be able to circumvent App Privacy Report logging.

AnalysisAI

Apps on iOS and iPadOS can bypass App Privacy Report logging due to insufficient entitlement checks, allowing malicious applications to conceal their privacy-invasive activities from users. Fixed in iOS/iPadOS 18.7.9 and 26.4. The CVSS vector (AV:N/AC:L/PR:N/UI:N) appears inconsistent with the actual attack requirements, as exploitation requires a malicious app already installed on the device, not remote network access. Despite the 7.5 CVSS score, EPSS exploitation probability is very low (0.02%, 5th percentile), no active exploitation is confirmed, and no public exploit code identified at time of analysis.

Technical ContextAI

This vulnerability stems from CWE-863 (Incorrect Authorization), where iOS/iPadOS failed to properly validate app entitlements before allowing operations that should be logged by App Privacy Report. App Privacy Report, introduced in iOS 15, tracks when apps access sensitive permissions like location, camera, microphone, and network activity, providing transparency to users. Entitlements are Apple's code-signing mechanism that grants apps specific capabilities. The missing entitlement checks allowed apps to perform privacy-sensitive operations without triggering the logging subsystem, defeating the transparency mechanism. Apple addressed this by implementing additional entitlement validation before allowing operations to proceed unlogged. The affected products are iOS and iPadOS versions prior to 18.7.9 in the 18.x branch and prior to 26.4 in the 26.x branch, as identified by CPE cpe:2.3:a:apple:ios_and_ipados.

RemediationAI

Update to iOS/iPadOS 18.7.9 for devices on the 18.x branch or iOS/iPadOS 26.4 for devices on the 26.x branch. Apple has released patches through standard over-the-air software update mechanisms. Users should navigate to Settings > General > Software Update to apply the fix. For enterprise environments, deploy the updates through Mobile Device Management (MDM) solutions using standard iOS update profiles. No workarounds are available that restore full App Privacy Report functionality. Compensating controls include restricting app installation sources to the official App Store only (disabling sideloading and enterprise app certificates), implementing MDM policies that audit installed applications, and using network-level monitoring to detect suspicious app behavior that would otherwise be logged by App Privacy Report. Trade-off: These compensating controls add operational overhead and do not restore user-facing privacy transparency. Organizations should prioritize patch deployment over temporary mitigations. Full advisory details at https://support.apple.com/en-us/126792 and https://support.apple.com/en-us/127111.

Share

EUVD-2026-29223 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy