Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
This issue was addressed with additional entitlement checks. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.4 and iPadOS 26.4. An app may be able to circumvent App Privacy Report logging.
AnalysisAI
Apps on iOS and iPadOS can bypass App Privacy Report logging due to insufficient entitlement checks, allowing malicious applications to conceal their privacy-invasive activities from users. Fixed in iOS/iPadOS 18.7.9 and 26.4. The CVSS vector (AV:N/AC:L/PR:N/UI:N) appears inconsistent with the actual attack requirements, as exploitation requires a malicious app already installed on the device, not remote network access. Despite the 7.5 CVSS score, EPSS exploitation probability is very low (0.02%, 5th percentile), no active exploitation is confirmed, and no public exploit code identified at time of analysis.
Technical ContextAI
This vulnerability stems from CWE-863 (Incorrect Authorization), where iOS/iPadOS failed to properly validate app entitlements before allowing operations that should be logged by App Privacy Report. App Privacy Report, introduced in iOS 15, tracks when apps access sensitive permissions like location, camera, microphone, and network activity, providing transparency to users. Entitlements are Apple's code-signing mechanism that grants apps specific capabilities. The missing entitlement checks allowed apps to perform privacy-sensitive operations without triggering the logging subsystem, defeating the transparency mechanism. Apple addressed this by implementing additional entitlement validation before allowing operations to proceed unlogged. The affected products are iOS and iPadOS versions prior to 18.7.9 in the 18.x branch and prior to 26.4 in the 26.x branch, as identified by CPE cpe:2.3:a:apple:ios_and_ipados.
RemediationAI
Update to iOS/iPadOS 18.7.9 for devices on the 18.x branch or iOS/iPadOS 26.4 for devices on the 26.x branch. Apple has released patches through standard over-the-air software update mechanisms. Users should navigate to Settings > General > Software Update to apply the fix. For enterprise environments, deploy the updates through Mobile Device Management (MDM) solutions using standard iOS update profiles. No workarounds are available that restore full App Privacy Report functionality. Compensating controls include restricting app installation sources to the official App Store only (disabling sideloading and enterprise app certificates), implementing MDM policies that audit installed applications, and using network-level monitoring to detect suspicious app behavior that would otherwise be logged by App Privacy Report. Trade-off: These compensating controls add operational overhead and do not restore user-facing privacy transparency. Organizations should prioritize patch deployment over temporary mitigations. Full advisory details at https://support.apple.com/en-us/126792 and https://support.apple.com/en-us/127111.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29223
GHSA-f5rg-6cw8-4phq