Description
A logic issue was addressed with improved validation. This issue is fixed in Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, macOS Tahoe 26.3. An app may be able to access a user's Safari history.
Published: 2026-02-11
Score: 3.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Exposure of Browsing History
Action: Immediate Update
AI Analysis

Impact

A logic flaw in Apple's web browsing components allows a developer or malicious application to read a user's Safari history without proper authorization. This privacy breach can expose sensitive personal information and browsing habits. The weakness is a classic example of an authentication bypass, classified as CWE-285. The vulnerability does not impact system integrity or availability but allows an attacker to gather low‑level user data, a concern for compliance and privacy.

Affected Systems

Apple Safari on macOS, iOS, and iPadOS are affected. The issue has been corrected in Safari 26.3, iOS 18.7.5, iPadOS 18.7.5, and macOS Tahoe 26.3. Users running earlier versions are potentially exposed.

Risk and Exploitability

The CVSS score of 3.3 denotes low severity; exploitation is straightforward if an application can be installed or already exists. The EPSS score of less than 1% suggests that exploitation is unlikely at present, and the vulnerability is not listed in CISA's KEV catalog. The most probable attack vector is local, where a user installs or uses an app that can read Safari history after the logic error is triggered. No additional conditions are required beyond the presence of an affected app.

Generated by OpenCVE AI on April 15, 2026 at 21:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Safari, iOS, iPadOS, or macOS to a version that incorporates the fix (Safari 26.3+, iOS 18.7.5+ and iPadOS 18.7.5+).
  • Revoke or limit app permissions that request access to web browsing data in system settings.
  • Ensure that only apps from trusted, verified sources are installed; regularly audit installed applications for unnecessary permissions.
  • Monitor Apple’s support portal for any new advisories or patches if an update is not immediately available.

Generated by OpenCVE AI on April 15, 2026 at 21:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description A logic issue was addressed with improved validation. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5, Safari 26.3, macOS Tahoe 26.3. An app may be able to access a user's Safari history. A logic issue was addressed with improved validation. This issue is fixed in Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, macOS Tahoe 26.3. An app may be able to access a user's Safari history.

Wed, 18 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-285
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple ipados
Apple iphone Os
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
Vendors & Products Apple ipados
Apple iphone Os
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Thu, 12 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios And Ipados
Apple macos
Apple safari
Vendors & Products Apple
Apple ios And Ipados
Apple macos
Apple safari

Wed, 11 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description A logic issue was addressed with improved validation. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5, Safari 26.3, macOS Tahoe 26.3. An app may be able to access a user's Safari history.
References

Subscriptions

Apple Ios And Ipados Ipados Iphone Os Macos Safari
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:15:52.101Z

Reserved: 2025-11-11T14:43:07.865Z

Link: CVE-2026-20656

cve-icon Vulnrichment

Updated: 2026-02-18T15:07:21.207Z

cve-icon NVD

Status : Modified

Published: 2026-02-11T23:16:08.427

Modified: 2026-04-02T19:21:18.573

Link: CVE-2026-20656

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T21:15:13Z

Weaknesses