Skip to main content

Apple iOS, iPadOS, macOS, visionOS EUVDEUVD-2026-29286

| CVE-2026-28993 MEDIUM
Improper Access Control (CWE-284)
2026-05-11 apple GHSA-vx52-282h-fq3g
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 12, 2026 - 18:26 vuln.today
CVSS changed
May 12, 2026 - 18:22 NVD
5.5 (MEDIUM)
Patch available
May 11, 2026 - 22:18 EUVD
CVE Published
May 11, 2026 - 20:08 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:08 nvd
MEDIUM 5.5

DescriptionCVE.org

This issue was addressed by adding an additional prompt for user consent. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, visionOS 26.5. An app may be able to access user-sensitive data.

AnalysisAI

Local authenticated apps bypass user consent mechanisms to access sensitive user data across iOS 18.7.8 and earlier, iPadOS 18.7.8 and earlier, macOS Sequoia 15.7.6 and earlier, macOS Sonoma 14.8.6 and earlier, macOS Tahoe 26.4 and earlier, and visionOS 26.4 and earlier. The vulnerability allows malicious or compromised applications running with standard user privileges to exfiltrate protected information without triggering the expected permission prompts. Apple has patched this by implementing an additional consent verification layer, though the low EPSS score (0.02%) suggests real-world exploitation remains limited.

Technical ContextAI

This vulnerability resides in Apple's application sandbox and privacy permission model, specifically in the mechanisms governing sensitive data access requests classified under CWE-284 (Improper Access Control). The flaw permits apps with only local system access and standard user privileges to circumvent the inter-process communication (IPC) barriers and privacy prompts that normally gate access to protected user data such as contacts, photos, location, or health information. The iOS, iPadOS, macOS, and visionOS affected products all share a common privacy framework that enforces permission checks before granting access to user-sensitive resources; the vulnerability indicates a gap in this framework's enforcement layer, likely in the code path responsible for validating app entitlements or user consent before data exposure.

RemediationAI

Vendor-released patches are available: iOS and iPadOS 18.7.9 and 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, and visionOS 26.5. Users should apply these updates immediately through Settings > General > Software Update on iOS/iPadOS/visionOS or System Settings > General > Software Update on macOS. No workarounds are available for users on vulnerable versions; mitigation requires patching. As a temporary compensating control, restrict installation of third-party apps from untrusted sources and review installed app permissions in Settings > Privacy & Security (iOS/iPadOS) or System Settings > Privacy & Security (macOS) to disable access to sensitive data categories for apps that do not explicitly require such access. However, this control is imperfect because it relies on user awareness and does not prevent already-installed or system apps from exploiting the vulnerability. Refer to https://nvd.nist.gov/vuln/detail/CVE-2026-28993 for additional vendor guidance.

Share

EUVD-2026-29286 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy