CVE-2025-43428 - Vulnerability Details

- Hidden Photos Visible Without Authentication

Description

A configuration issue was addressed with additional restrictions. This issue is fixed in iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2. Photos in the Hidden Photos Album may be viewed without authentication.

Published: 2025-12-17

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows an attacker to view photos stored in the Hidden Photos Album without authentication. This bypasses the intended privacy controls and permits unauthorized access to sensitive personal media, directly compromising confidentiality. It is rooted in an inadequate verification of permissions, reflected by its CWE‑306 classification.

Affected Systems

Apple devices running iOS or iPadOS prior to version 26.2, macOS Tahoe prior to 26.2, and visionOS prior to 26.2 are affected. The fix is included in version 26.2 of each operating system; any versions before that remain vulnerable.

Risk and Exploitability

With a CVSS score of 9.8, the flaw is considered critical. The EPSS score of less than 1% indicates that while exploitation is unlikely, it remains possible, especially for users who physically or locally access the device. The vulnerability is not listed in the U.S. CISA KEV catalog, but its high severity warrants prompt remediation. Attackers who can access the device or trick a user into navigating to the Hidden Photos Album could therefore gain unauthorized visibility of personal images.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apple

iOS and iPadOS

affected

Version	Status	Constraints
`0`	affected	< 26.2

Apple

macOS

affected

Version	Status	Constraints
`0`	affected	< 26.2

Apple

visionOS

affected

Version	Status	Constraints
`0`	affected	< 26.2

Configuration 1 [-]

OR	cpe:2.3:o:apple:ipados::::::::
	cpe:2.3:o:apple:iphone_os::::::::
	cpe:2.3:o:apple:macos::::::::
	cpe:2.3:o:apple:visionos::::::::

No data.

Vendor	Product	Confidence	Versions
Apple	Ios	—	—
Apple	Ipados	—	—
Apple	Macos	—	—
Apple	Macos Tahoe	—	—
Apple	Visionos	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply iOS 26.2, iPadOS 26.2, macOS Tahoe 26.2, or visionOS 26.2 updates to all affected devices.
Until the update is available, disable or remove photos from the Hidden Photos Album to prevent unintended exposure.
Contact Apple Support or consult the Apple Security Bulletin to confirm that the update resolves the issue and to track any additional recommendations.

Generated by OpenCVE AI on April 22, 2026 at 20:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0015.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://support.apple.com/en-us/125884
https://support.apple.com/en-us/125886
https://support.apple.com/en-us/125891

History

Wed, 22 Apr 2026 20:45:00 +0000

Type	Values Removed	Values Added
Title		Hidden Photos Visible Without Authentication

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description	A configuration issue was addressed with additional restrictions. This issue is fixed in visionOS 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2. Photos in the Hidden Photos Album may be viewed without authentication.	A configuration issue was addressed with additional restrictions. This issue is fixed in iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2. Photos in the Hidden Photos Album may be viewed without authentication.

Thu, 18 Dec 2025 21:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple iphone Os
CPEs		cpe:2.3:o:apple:ipados:::::::: cpe:2.3:o:apple:iphone_os:::::::: cpe:2.3:o:apple:macos:::::::: cpe:2.3:o:apple:visionos::::::::
Vendors & Products		Apple iphone Os

Thu, 18 Dec 2025 20:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-306
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 18 Dec 2025 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple ios Apple ipados Apple macos Apple macos Tahoe Apple visionos
Vendors & Products		Apple Apple ios Apple ipados Apple macos Apple macos Tahoe Apple visionos

Wed, 17 Dec 2025 21:00:00 +0000

Type	Values Removed	Values Added
Description		A configuration issue was addressed with additional restrictions. This issue is fixed in visionOS 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2. Photos in the Hidden Photos Album may be viewed without authentication.
References		https://support.apple.com/en-us/125884 https://support.apple.com/en-us/125886 https://support.apple.com/en-us/125891

Subscriptions

Apple Ios Ipados Iphone Os Macos Macos Tahoe Visionos

MITRE

Status: PUBLISHED

Assigner: apple

Published: 2025-12-17T20:46:35.128Z

Updated: 2026-04-02T18:10:50.464Z

Reserved: 2025-04-16T15:24:37.124Z

Link: CVE-2025-43428

Vulnrichment

Updated: 2025-12-18T19:13:28.976Z

NVD

Status : Modified

Published: 2025-12-17T21:16:01.990

Modified: 2026-04-02T19:20:44.970

Link: CVE-2025-43428

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T20:30:26Z

Weaknesses

CWE-306

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object