Description
An authorization issue was addressed with improved state management. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, visionOS 26.4, watchOS 26.4. An app may be able to access sensitive user data.
Published: 2026-03-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authorization issue identified in Apple’s operating systems, now addressed through improved state management, still allows an installed application to read protected user information without performing the proper permission checks. The weakness, classified as CWE-200, lets an app acquire sensitive data that it is not explicitly authorized to access, thereby compromising user confidentiality. The vulnerability does not enable direct device control or code execution, but it permits disclosure of private information.

Affected Systems

Apple OSes affected include iOS, iPadOS, macOS, visionOS, and watchOS on all releases earlier than iOS 18.7.9, iOS 26.4, iPadOS 18.7.9, iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, visionOS 26.4, and watchOS 26.4. Until those specific versions are installed, any device running those operating systems remains vulnerable to an app reading sensitive user data.

Risk and Exploitability

Reported CVSS is 5.5 and EPSS is below 1%, indicating a moderate severity and a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, suggesting no large‑scale or notable exploits to date. The likely attack vector is an application that has already been installed on the device; based on the description, it is inferred that such an app could leverage the flaw to read sensitive user data if it does not enforce proper authorization.

Generated by OpenCVE AI on May 11, 2026 at 22:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest iOS update (≥ 18.7.9, ≥ 26.4) on all iPhone and iPad devices.
  • Update all Mac computers to at least macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, or macOS Tahoe 26.4.
  • Apply the latest visionOS 26.4 or later update to all Vision Pro devices and watchOS 26.4 or later update to all Apple Watch devices.

Generated by OpenCVE AI on May 11, 2026 at 22:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 23:00:00 +0000

Type Values Removed Values Added
Title Apple OS Authorization Issue Allowing Apps to Access Sensitive User Data

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description An authorization issue was addressed with improved state management. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Tahoe 26.4, visionOS 26.4, watchOS 26.4. An app may be able to access sensitive user data. An authorization issue was addressed with improved state management. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, visionOS 26.4, watchOS 26.4. An app may be able to access sensitive user data.
References

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Title Apple OS Authorization Issue Allowing Apps to Access Sensitive User Data

Thu, 26 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple ipados
Apple iphone Os
Weaknesses CWE-200
NVD-CWE-noinfo
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
Vendors & Products Apple ipados
Apple iphone Os
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Title Authorization Bypass Allows App to Access Sensitive User Data via Improper State Management
Weaknesses CWE-285

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Title Authorization Bypass Allows App to Access Sensitive User Data via Improper State Management
Weaknesses CWE-285

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios And Ipados
Apple macos
Apple visionos
Apple watchos
Vendors & Products Apple
Apple ios And Ipados
Apple macos
Apple visionos
Apple watchos

Wed, 25 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description An authorization issue was addressed with improved state management. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Tahoe 26.4, visionOS 26.4, watchOS 26.4. An app may be able to access sensitive user data.
References

Subscriptions

Apple Ios And Ipados Ipados Iphone Os Macos Visionos Watchos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-05-11T20:08:01.808Z

Reserved: 2026-03-03T16:36:03.974Z

Link: CVE-2026-28877

cve-icon Vulnrichment

Updated: 2026-03-26T19:15:34.819Z

cve-icon NVD

Status : Modified

Published: 2026-03-25T01:17:11.517

Modified: 2026-05-11T21:18:52.177

Link: CVE-2026-28877

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T22:45:36Z

Weaknesses