Description
The issue was addressed with additional restrictions on the observability of app states. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Sequoia 15.7.4, macOS Sonoma 14.8.4, macOS Tahoe 26.3. A sandboxed app may be able to access sensitive user data.
Published: 2026-02-11
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality breach via sandboxed app observability
Action: Apply patch
AI Analysis

Impact

Apple’s iOS, iPadOS and macOS platforms suffered a flaw that allowed sandboxed applications to observe app states without the additional restrictions Apple normally imposes. The vulnerability could enable a malicious or compromised app to read sensitive user data that it should not have visibility over. The weakness is classified as CWE‑200, a failed protection against information disclosure, which can compromise confidentiality.

Affected Systems

This issue affects Apple iOS and iPadOS devices running iOS 18.7.5, iPadOS 18.7.5, iOS 26.3, iPadOS 26.3 and macOS systems running Sequoia 15.7.4, Sonoma 14.8.4 or Tahoe 26.3. Any sandboxed application installed on these operating systems could potentially exploit the lack of observability restrictions.

Risk and Exploitability

The CVSS base score of 5.5 indicates a moderate risk that the flaw might be successfully leveraged. The EPSS score of less than 1% suggests that exploitation attempts are rare at present, and the vulnerability is not featured in the CISA KEV catalog. The likely attack vector is local to the device, relying on a sandboxed app that already has approved installation rights. An attacker would need to supply a specifically crafted app that abuses the observability channel to read sensitive data, with no requirement for elevated privileges or network connectivity. The low exploitation probability mitigates immediate threat, but the potential for data exposure remains.

Generated by OpenCVE AI on April 15, 2026 at 20:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest software update, which patches the flaw (iOS 18.7.5 or later, iPadOS 18.7.5 or later, macOS Sequoia 15.7.4, macOS Sonoma 14.8.4 or macOS Tahoe 26.3).
  • If an update cannot be applied immediately, uninstall or disable any recently added sandboxed applications that are not essential to device operation.
  • Monitor for abnormal activity from installed apps, such as unexpected data transmissions or repeated access to sensitive resource APIs, and apply stricter application monitoring policies through MDM or other enterprise controls.

Generated by OpenCVE AI on April 15, 2026 at 20:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Title Sandboxed App Observability Bypass Leading to Sensitive Data Exposure

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description The issue was addressed with additional restrictions on the observability of app states. This issue is fixed in macOS Tahoe 26.3, macOS Sonoma 14.8.4, macOS Sequoia 15.7.4, iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3. A sandboxed app may be able to access sensitive user data. The issue was addressed with additional restrictions on the observability of app states. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Sequoia 15.7.4, macOS Sonoma 14.8.4, macOS Tahoe 26.3. A sandboxed app may be able to access sensitive user data.

Wed, 18 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Thu, 12 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple ipados
Apple iphone Os
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
Vendors & Products Apple ipados
Apple iphone Os
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Thu, 12 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios And Ipados
Apple macos
Vendors & Products Apple
Apple ios And Ipados
Apple macos

Wed, 11 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description The issue was addressed with additional restrictions on the observability of app states. This issue is fixed in macOS Tahoe 26.3, macOS Sonoma 14.8.4, macOS Sequoia 15.7.4, iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3. A sandboxed app may be able to access sensitive user data.
References

Subscriptions

Apple Ios And Ipados Ipados Iphone Os Macos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:19:32.387Z

Reserved: 2025-11-11T14:43:07.872Z

Link: CVE-2026-20680

cve-icon Vulnrichment

Updated: 2026-02-18T14:59:34.195Z

cve-icon NVD

Status : Modified

Published: 2026-02-11T23:16:10.350

Modified: 2026-04-02T19:21:22.013

Link: CVE-2026-20680

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T21:00:09Z

Weaknesses