The vulnerability stems from missing permission checks that allow an application to read sensitive user data that should be protected by the operating system. This constitutes an improper access control flaw (CWE-284) that can grant an attacker access to private information. The flaw does not lead to code execution or denial of service, but it enables data theft or privacy violations. It is limited to the application’s permitted context and requires the flaw to be triggered by a malicious or compromised app.

Apple Safari and macOS Tahoe are affected when running versions prior to Safari 26.2 and macOS Tahoe 26.2, respectively. The fix was introduced in those releases, so any earlier builds remain vulnerable. Systems still deploying an earlier Safari or macOS Tahoe version should be considered at risk. No other Apple products are listed as impacted by this issue.

The CVSS score of 5.5 indicates moderate impact. The EPSS score of less than 1% suggests a low probability of exploitation at present. It is not listed in the CISA KEV catalog, implying that large-scale exploitation has not been reported. The likely attack vector is a malicious application that runs on the device; the attacker would need to install or trick a user into installing such an app. The vulnerability requires local code execution or the ability to run code on the device, so remote exploitation is unlikely without prior compromise or social engineering. The threat remains a moderate risk, primarily related to privacy breaches rather than system compromise.