Description
This issue was addressed with additional entitlement checks. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2, macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, macOS Tahoe 26.1. An app may be able to access sensitive user data.
Published: 2025-11-04
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to sensitive data
Action: Update
AI Analysis

Impact

An entitlement check flaw in Apple iOS, iPadOS, and macOS allows an application to access sensitive user data without proper authorization. The missing entitlement checks create an access control weakness (CWE‑284). An attacker who can install or trick the user into installing a malicious app could read protected information, potentially compromising user privacy, but the flaw does not provide arbitrary code execution or a denial of service.

Affected Systems

Apple iOS and iPadOS versions prior to 18.7.2, macOS Sequoia before 15.7.2, macOS Sonoma before 14.8.2, and macOS Tahoe before 26.1 are affected. The vulnerability is fixed in iOS 18.7.2, iPadOS 18.7.2, macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, and macOS Tahoe 26.1.

Risk and Exploitability

The CVSS base score of 5.5 indicates moderate severity. The EPSS score of less than 1% shows a very low probability of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the likely attack vector is a malicious or compromised app installed locally; the attacker would need to persuade a user to install the app or exploit a local code execution path. Given the low EPSS, the risk is moderate but still warrants prompt application of the vendor‑supplied fix.

Generated by OpenCVE AI on April 27, 2026 at 23:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest operating system updates that contain the entitlement‑check fix for iOS 18.7.2, iPadOS 18.7.2, macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, or macOS Tahoe 26.1.
  • If updates cannot be applied immediately, review installed applications for unnecessary sensitive data permissions, and either remove or revoke those permissions via Settings → Privacy, or uninstall apps with excessive entitlements.
  • Monitor Apple support announcements and apply any future patches addressing this or related access‑control weaknesses.

Generated by OpenCVE AI on April 27, 2026 at 23:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
Title Access Control Bypass Allowing Apps to Read Sensitive User Data on Apple Devices

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description This issue was addressed with additional entitlement checks. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2, macOS Sequoia 15.7.2, macOS Tahoe 26.1, macOS Sonoma 14.8.2. An app may be able to access sensitive user data. This issue was addressed with additional entitlement checks. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2, macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, macOS Tahoe 26.1. An app may be able to access sensitive user data.

Wed, 17 Dec 2025 21:00:00 +0000

Type Values Removed Values Added
Description This issue was addressed with additional entitlement checks. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2. An app may be able to access sensitive user data. This issue was addressed with additional entitlement checks. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2, macOS Sequoia 15.7.2, macOS Tahoe 26.1, macOS Sonoma 14.8.2. An app may be able to access sensitive user data.
References

Wed, 05 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
References

Wed, 05 Nov 2025 18:45:00 +0000

Type Values Removed Values Added
Description This issue was addressed with additional entitlement checks. This issue is fixed in macOS Sonoma 14.8.2, macOS Sequoia 15.7.2. An app may be able to access sensitive user data. This issue was addressed with additional entitlement checks. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2. An app may be able to access sensitive user data.
References

Tue, 04 Nov 2025 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*

Tue, 04 Nov 2025 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 04 Nov 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Apple macos Sequoia
Apple macos Sonoma
Vendors & Products Apple
Apple macos
Apple macos Sequoia
Apple macos Sonoma

Tue, 04 Nov 2025 01:45:00 +0000

Type Values Removed Values Added
Description This issue was addressed with additional entitlement checks. This issue is fixed in macOS Sonoma 14.8.2, macOS Sequoia 15.7.2. An app may be able to access sensitive user data.
References

Subscriptions

Apple Macos Macos Sequoia Macos Sonoma
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:20:02.728Z

Reserved: 2025-04-16T15:27:21.192Z

Link: CVE-2025-43499

cve-icon Vulnrichment

Updated: 2025-11-04T17:49:11.934Z

cve-icon NVD

Status : Modified

Published: 2025-11-04T02:15:52.980

Modified: 2026-04-02T19:20:55.317

Link: CVE-2025-43499

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T23:15:06Z

Weaknesses