Description
An information leakage was addressed with additional validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to access sensitive user data.
Published: 2026-03-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An information leakage flaw in Apple operating systems was discovered, allowing applications to access sensitive user data without proper validation. The vulnerability was mitigated through additional validation checks and is fixed in iOS 18.7.9, iPadOS 18.7.9, iOS 26.4, iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, and watchOS 26.4. The potential impact includes unauthorized access to personal data that could compromise user privacy.

Affected Systems

Vulnerable platforms include Apple iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. The flaw is fixed in iOS 18.7.9, iPadOS 18.7.9, iOS 26.4, iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, and watchOS 26.4; devices running earlier releases are still affected.

Risk and Exploitability

The vulnerability receives a moderate CVSS score of 5.5 and an EPSS score of less than 1%, suggesting low overall exploitation likelihood. It is not listed in CISA's Known Exploited Vulnerabilities catalog. The attack vector appears to be application‑based, meaning a malicious or poorly designed app could trigger the information leak. Theoretical remote exploitation does not seem plausible based on the description provided.

Generated by OpenCVE AI on May 12, 2026 at 00:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to iOS 18.7.9, iPadOS 18.7.9, iOS 26.4, iPadOS 26.4, macOS 26.4, tvOS 26.4, visionOS 26.4, or watchOS 26.4 depending on your device.
  • If an immediate update is not possible, limit installation of third‑party applications from untrusted sources until the platform is updated.
  • Use Apple Device Management or a mobile device management solution to enforce OS version compliance and block unpatched devices from accessing sensitive data.

Generated by OpenCVE AI on May 12, 2026 at 00:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 01:15:00 +0000

Type Values Removed Values Added
Title Apple OS Information Leakage via Improper Validation
Weaknesses CWE-200

Mon, 11 May 2026 23:00:00 +0000

Type Values Removed Values Added
Title Apple OS Information Leakage Allowing Apps to Access Sensitive Data
Weaknesses CWE-200

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description An information leakage was addressed with additional validation. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to access sensitive user data. An information leakage was addressed with additional validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to access sensitive user data.
References

Sun, 29 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Title Apple OS Information Leakage Allowing Apps to Access Sensitive Data
Weaknesses CWE-200

Sat, 28 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title Information Leakage via App on Apple Platforms
Weaknesses CWE-200

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Title Information Leakage via App on Apple Platforms
Weaknesses CWE-200

Thu, 26 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple ipados
Apple iphone Os
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
Vendors & Products Apple ipados
Apple iphone Os
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Title Sensitive Data Leakage via Unvalidated Access in Apple Operating Systems
Weaknesses CWE-200

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Title Sensitive Data Leakage via Unvalidated Access in Apple Operating Systems
Weaknesses CWE-200

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios And Ipados
Apple macos
Apple tvos
Apple visionos
Apple watchos
Vendors & Products Apple
Apple ios And Ipados
Apple macos
Apple tvos
Apple visionos
Apple watchos

Wed, 25 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description An information leakage was addressed with additional validation. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to access sensitive user data.
References

Subscriptions

Apple Ios And Ipados Ipados Iphone Os Macos Tvos Visionos Watchos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-05-11T20:07:49.135Z

Reserved: 2026-03-03T16:36:03.973Z

Link: CVE-2026-28870

cve-icon Vulnrichment

Updated: 2026-03-27T19:44:52.379Z

cve-icon NVD

Status : Modified

Published: 2026-03-25T01:17:11.003

Modified: 2026-05-11T21:18:51.810

Link: CVE-2026-28870

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T01:00:04Z

Weaknesses