Description
This issue was addressed with improved validation of symlinks. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to access sensitive user data.
Published: 2026-03-25
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to sensitive user data
Action: Apply patch
AI Analysis

Impact

Improper validation of symbolic links in the operating system allows an application to maliciously reference protected files. This vulnerability can be exploited to read or write data that should be confined to the system or other users, leading to unauthorized access to sensitive user information. It represents a path traversal issue tied to the CWE-59 weakness.

Affected Systems

Apple’s operating systems—iOS, iPadOS, and macOS—are affected. Vulnerable versions include any releases before iOS 18.7.7, iPadOS 18.7.7, iOS 26.4, iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, and macOS Tahoe 26.4. The issue is resolved in the listed patch versions.

Risk and Exploitability

The CVSS score of 6.2 denotes medium severity, while the EPSS score of less than 1% indicates a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog, further suggesting limited real-world exploitation. Attack vectors are most likely local, requiring the use of a malicious or compromised application to supply forged symlink paths; the need for local code execution reduces the risk of widespread remote attacks. Overall, the risk remains moderate but does not pose an immediate large-scale threat.

Generated by OpenCVE AI on March 26, 2026 at 14:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest iOS, iPadOS, and macOS releases.
  • Verify that the updates were installed correctly.
  • If an update is not possible, restrict or remove any applications that could exploit the flaw.

Generated by OpenCVE AI on March 26, 2026 at 14:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Title Improper Symlink Validation Leading to Access of Sensitive User Data on Apple Platforms

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Title Symlink Validation Flaw Enabling Unauthorized Access to Sensitive User Data
Weaknesses CWE-20
CWE-22

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Title Symlink Validation Flaw Enabling Unauthorized Access to Sensitive User Data
Weaknesses CWE-20
CWE-22

Wed, 25 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple ipados
Apple iphone Os
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
Vendors & Products Apple ipados
Apple iphone Os

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-59
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios And Ipados
Apple macos
Vendors & Products Apple
Apple ios And Ipados
Apple macos

Wed, 25 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description This issue was addressed with improved validation of symlinks. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to access sensitive user data.
References

Subscriptions

Apple Ios And Ipados Ipados Iphone Os Macos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:11:07.226Z

Reserved: 2026-03-03T16:36:03.973Z

Link: CVE-2026-28866

cve-icon Vulnrichment

Updated: 2026-03-25T19:14:41.565Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T01:17:10.680

Modified: 2026-03-25T21:30:07.740

Link: CVE-2026-28866

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:20:14Z

Weaknesses