Description
This issue was addressed with additional entitlement checks. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.4 and iPadOS 26.4. An app may be able to circumvent App Privacy Report logging.
Published: 2026-05-11
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An application can bypass required entitlement checks to avoid being recorded by the App Privacy Report, allowing it to collect or transmit data without the privacy safeguard that would normally be enforced. This flaw results in a violation of user privacy, with the potential for malicious or accidental data exposure. The weakness is a form of improper authorization or access control (CWE‑285).

Affected Systems

Apple iOS and iPadOS devices running versions prior to iOS 18.7.9 and iPadOS 18.7.9, as well as prior to iOS 26.4 and iPadOS 26.4 are affected. The vulnerability is fixed in the 18.7.9/26.4 releases.

Risk and Exploitability

There is no EPSS data or KEV listing, but the flaw permits a local or remote application to subvert system-enforced privacy protections once it is installed. Because the issue is a direct entitlement bypass, any app that can install on the device can potentially exploit it, although no public exploit is known at this time. The risk is significant for user privacy and compliance with data protection regulations.

Generated by OpenCVE AI on May 11, 2026 at 21:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the device to iOS 18.7.9, iPadOS 18.7.9, iOS 26.4, or iPadOS 26.4, which contain the entitlement check fix.
  • Enforce an update policy that guarantees all managed devices run one of the fixed OS releases, and configure automated update enrollment if available.
  • Periodically review App Privacy Report logs to ensure no unauthorized data collection is taking place and confirm that the device is operating a fixed OS version.

Generated by OpenCVE AI on May 11, 2026 at 21:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 22:00:00 +0000

Type Values Removed Values Added
Title App Privacy Report Bypass via Entitlement Check Failure
First Time appeared Apple
Apple ios And Ipados
Weaknesses CWE-285
Vendors & Products Apple
Apple ios And Ipados

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description This issue was addressed with additional entitlement checks. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.4 and iPadOS 26.4. An app may be able to circumvent App Privacy Report logging.
References

Subscriptions

Apple Ios And Ipados
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-05-11T20:08:38.388Z

Reserved: 2026-03-03T16:36:03.974Z

Link: CVE-2026-28873

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-11T21:18:52.077

Modified: 2026-05-12T14:13:03.510

Link: CVE-2026-28873

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T21:45:36Z

Weaknesses