CVE-2026-28856 - Vulnerability Details

- Physical Access Allows Sensitive Data Disclosure on Apple Devices

Description

The issue was addressed with improved authentication. This issue is fixed in iOS 26.4 and iPadOS 26.4, visionOS 26.4, watchOS 26.4. An attacker with physical access to a locked device may be able to view sensitive user information.

Published: 2026-03-25

Score: 4.6 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw that allows an attacker with physical access to a locked Apple device to view sensitive user information. The weakness is a broken access control, identified as CWE-284, which permits unauthorized data access when the device is physically compromised but still locked.

Affected Systems

Apple devices running iOS, iPadOS, visionOS, or watchOS are impacted. The issue is fixed in version 26.4 for all four operating systems. Devices on earlier releases, such as any versions before 26.4, remain vulnerable if not updated.

Risk and Exploitability

The vulnerability carries a CVSS score of 4.6, indicating moderate severity, and an EPSS score of less than 1%, suggesting a low likelihood of exploitation. It is not listed in the CISA KEV catalog. The likely attack vector requires physical possession of the device; remote exploitation is not possible as the device must be locked. Because the attacker must have the device in hand, the risk to a broader network is limited, but any user who leaves a device unattended could expose personal data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apple

iOS and iPadOS

affected

Version	Status	Constraints
`0`	affected	< 26.4

Apple

visionOS

affected

Version	Status	Constraints
`0`	affected	< 26.4

Apple

watchOS

affected

Version	Status	Constraints
`0`	affected	< 26.4

Configuration 1 [-]

OR	cpe:2.3:o:apple:ipados::::::::
	cpe:2.3:o:apple:iphone_os::::::::
	cpe:2.3:o:apple:visionos::::::::
	cpe:2.3:o:apple:watchos::::::::

No data.

Vendor Product Confidence Versions

Apple

Ios And Ipados

100%

Version	Status	Scheme	Platform
`[0,26.4)`	affected	generic	—

Apple

Visionos

100%

Version	Status	Scheme	Platform
`[0,26.4)`	affected	generic	—

Apple

Watchos

100%

Version	Status	Scheme	Platform
`[0,26.4)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the device software to iOS 26.4, iPadOS 26.4, visionOS 26.4, or watchOS 26.4.
If an update cannot be performed immediately, ensure that the device remains locked and is stored securely to prevent physical access.
Consider enabling a strong passcode and enable features such as Find My and remote wipe to mitigate data exposure if a device is lost or stolen.

Generated by OpenCVE AI on March 26, 2026 at 19:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00041.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://support.apple.com/en-us/126792
https://support.apple.com/en-us/126798
https://support.apple.com/en-us/126799

History

Fri, 27 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
Title		Physical Access Allows Sensitive Data Disclosure on Apple Devices

Thu, 26 Mar 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple ipados Apple iphone Os
CPEs		cpe:2.3:o:apple:ipados:::::::: cpe:2.3:o:apple:iphone_os:::::::: cpe:2.3:o:apple:visionos:::::::: cpe:2.3:o:apple:watchos::::::::
Vendors & Products		Apple ipados Apple iphone Os

Thu, 26 Mar 2026 12:30:00 +0000

Type	Values Removed	Values Added
Title	Physical Access Vulnerability Allowing Sensitive Data Exposure on Locked Apple Devices
Weaknesses	CWE-200

Wed, 25 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Title		Physical Access Vulnerability Allowing Sensitive Data Exposure on Locked Apple Devices
Weaknesses		CWE-200

Wed, 25 Mar 2026 21:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-284
Metrics		cvssV3_1 `{'score': 4.6, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 25 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple ios And Ipados Apple visionos Apple watchos
Vendors & Products		Apple Apple ios And Ipados Apple visionos Apple watchos

Wed, 25 Mar 2026 01:00:00 +0000

Type	Values Removed	Values Added
Description		The issue was addressed with improved authentication. This issue is fixed in iOS 26.4 and iPadOS 26.4, visionOS 26.4, watchOS 26.4. An attacker with physical access to a locked device may be able to view sensitive user information.
References		https://support.apple.com/en-us/126792 https://support.apple.com/en-us/126798 https://support.apple.com/en-us/126799

Subscriptions

Apple Ios And Ipados Ipados Iphone Os Visionos Watchos

MITRE

Status: PUBLISHED

Assigner: apple

Published: 2026-03-25T00:32:12.538Z

Updated: 2026-04-02T18:17:12.177Z

Reserved: 2026-03-03T16:36:03.972Z

Link: CVE-2026-28856

Vulnrichment

Updated: 2026-03-25T20:20:32.213Z

NVD

Status : Analyzed

Published: 2026-03-25T01:17:09.717

Modified: 2026-03-26T18:31:38.983

Link: CVE-2026-28856

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-27T09:53:44Z

Weaknesses

CWE-284

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object