Description
A privacy issue was addressed by removing sensitive data. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.7, macOS Sonoma 14.8.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to enumerate a user's installed apps.
Published: 2026-03-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A privacy vulnerability enables an application to enumerate the list of apps installed on an Apple device, thereby exposing information about user behavior and installed software. This is an information disclosure weakness (CWE‑200) that can reveal sensitive data without user consent. The issue has been mitigated by removing the sensitive data in the newer OS releases, and the fix is available in iOS 18.7.7 and iOS 26.4, iPadOS 18.7.7 and iPadOS 26.4, macOS Sequoia 15.7.7, macOS Sonoma 14.8.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, and watchOS 26.4.

Affected Systems

It affects all Apple operating systems including iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. Fixed versions are iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.7, macOS Sonoma 14.8.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, and watchOS 26.4. Devices running earlier releases remain vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate risk for privacy compromise. EPSS is below 1 %, and the vulnerability is not listed in the CISA KEV catalog, suggesting a low likelihood of malicious exploitation in the wild. Based on the description, it is inferred that the attack vector is local, requiring a malicious or compromised application with sufficient privileges on the device. The impact is limited to privacy violations rather than full system compromise.

Generated by OpenCVE AI on May 11, 2026 at 22:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest iOS, iPadOS, macOS, tvOS, visionOS, and watchOS releases that contain the fix.
  • If an immediate update is not possible, restrict permissions for installed apps or remove any untrusted applications to reduce potential exposure.
  • Enable automatic updates to receive future fixes automatically.
  • Keep an eye on Apple security advisories for additional guidance.

Generated by OpenCVE AI on May 11, 2026 at 22:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 23:00:00 +0000

Type Values Removed Values Added
Title Privacy Disclosure via Installed Apps Enumeration on Apple Platforms

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description A privacy issue was addressed by removing sensitive data. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sonoma 14.8.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to enumerate a user's installed apps. A privacy issue was addressed by removing sensitive data. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.7, macOS Sonoma 14.8.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to enumerate a user's installed apps.
References

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Title Installed App Enumeration Privacy Leak Privacy Disclosure via Installed Apps Enumeration on Apple Platforms

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Title Installed App Enumeration Privacy Leak

Wed, 25 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple ipados
Apple iphone Os
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
Vendors & Products Apple ipados
Apple iphone Os

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios And Ipados
Apple macos
Apple tvos
Apple visionos
Apple watchos
Vendors & Products Apple
Apple ios And Ipados
Apple macos
Apple tvos
Apple visionos
Apple watchos

Wed, 25 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description A privacy issue was addressed by removing sensitive data. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sonoma 14.8.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to enumerate a user's installed apps.
References

Subscriptions

Apple Ios And Ipados Ipados Iphone Os Macos Tvos Visionos Watchos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-05-11T20:08:31.796Z

Reserved: 2026-03-03T16:36:03.974Z

Link: CVE-2026-28878

cve-icon Vulnrichment

Updated: 2026-03-25T19:54:31.503Z

cve-icon NVD

Status : Modified

Published: 2026-03-25T01:17:11.620

Modified: 2026-05-11T21:18:52.350

Link: CVE-2026-28878

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T22:45:36Z

Weaknesses