Skip to main content

Apple operating systems EUVDEUVD-2026-29274

| CVE-2026-28974 HIGH
Improper Access Control (CWE-284)
2026-05-11 apple GHSA-xxh7-j8v2-g57f
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 12, 2026 - 14:28 vuln.today
CVSS changed
May 12, 2026 - 14:22 NVD
7.5 (HIGH)
Patch available
May 11, 2026 - 22:18 EUVD
CVE Published
May 11, 2026 - 20:07 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:07 nvd
HIGH 7.5

DescriptionCVE.org

This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. An app may be able to cause a denial-of-service.

AnalysisAI

Confidentiality breach in Apple's operating systems (iOS, iPadOS, macOS, tvOS, visionOS, watchOS) allows remote unauthenticated attackers to access high-sensitivity information through improper access control checks. Despite the vendor description indicating denial-of-service impact, the CVSS vector reveals a severe confidentiality compromise (C:H) with network-accessible attack surface requiring no authentication. Apple has patched all affected platforms in coordinated security updates released across six operating systems. EPSS score of 0.02% suggests low observed exploitation probability, and no public exploit code has been identified at time of analysis.

Technical ContextAI

This vulnerability stems from CWE-284 (Improper Access Control), indicating insufficient authorization enforcement in Apple's cross-platform framework components. The affected technology spans Apple's entire ecosystem: iOS/iPadOS mobile devices, macOS desktop/laptop systems (both Sequoia and newer Tahoe branches), tvOS streaming devices, visionOS spatial computing platform, and watchOS wearables. The CPE strings confirm application-layer vulnerabilities rather than kernel-level flaws. The root cause involves inadequate validation of authorization checks before granting access to sensitive resources or data, allowing applications to bypass intended security boundaries. Apple's fix involved 'improved checks to prevent unauthorized actions,' suggesting the addition of missing authorization gates or strengthening of existing permission validation logic in shared framework code deployed across all platforms.

RemediationAI

Apply vendor-released patches immediately: upgrade iOS and iPadOS to version 26.5, macOS Sequoia to version 15.7.7, macOS Tahoe to version 26.5, tvOS to version 26.5, visionOS to version 26.5, and watchOS to version 26.5. Updates are available through standard Apple software update mechanisms for each platform. Consult platform-specific security advisories at https://support.apple.com/en-us/127110 (iOS/iPadOS), https://support.apple.com/en-us/127115 (macOS Sequoia), https://support.apple.com/en-us/127116 (macOS Tahoe), https://support.apple.com/en-us/127118 (tvOS), https://support.apple.com/en-us/127119 (visionOS), and https://support.apple.com/en-us/127120 (watchOS). No workarounds are documented. As a compensating control until patching, restrict installation of third-party applications to trusted sources only and enforce mobile device management policies that limit app installation permissions, though this significantly impacts device usability and does not prevent exploitation by apps already installed or distributed through official app stores.

Share

EUVD-2026-29274 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy