Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5, watchOS 26.5. An app may be able to bypass certain Privacy preferences.
AnalysisAI
Privacy bypass in Apple operating systems allows local authenticated apps to circumvent user-configured privacy restrictions through permission mishandling. The vulnerability affects iOS, iPadOS, macOS Tahoe, visionOS, and watchOS versions prior to 26.5. An attacker with local app execution privileges can access sensitive data classified as restricted by user privacy settings, though without authentication bypass or integrity compromise. Fixed in coordinated OS updates across Apple's ecosystem.
Technical ContextAI
The vulnerability stems from insufficient access control enforcement in Apple's privacy permission model, classified under CWE-284 (Improper Access Control-Permissions, Privileges, and Other Access Controls). The root cause involves inadequate restrictions on how apps interact with the privacy preferences system. While details are limited by Apple's disclosure practices, this reflects a common class of vulnerabilities where privilege boundaries or capability enforcement mechanisms fail to prevent unauthorized data access. The affected systems span multiple Apple platforms running kernel and framework code that enforces privacy sandboxing, suggesting a shared component or framework flaw across iOS, macOS, visionOS, and watchOS.
RemediationAI
Vendor-released patch: Update to iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5, or watchOS 26.5. For all affected platforms, navigate to Settings > General > Software Update (iOS/iPadOS/watchOS) or System Settings > General > Software Update (macOS/visionOS) and install the latest available version. Additional details on platform-specific security updates are available in Apple security advisories: https://support.apple.com/en-us/127110 (macOS), https://support.apple.com/en-us/127115 (iOS/iPadOS), https://support.apple.com/en-us/127119 (visionOS), https://support.apple.com/en-us/127120 (watchOS). No compensating controls mitigate the privacy bypass without patching; however, organizations can reduce exposure by restricting sideloaded app installation (macOS, iOS) and using Mobile Device Management (MDM) policies to enforce App Store-only distribution on managed devices.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29282
GHSA-8pv7-gjvg-66w2