Description
This issue was addressed with improved checks. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to enumerate a user's installed apps.
Published: 2026-03-25
Score: 4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An application running on an Apple device can enumerate the list of installed applications because the operating system does not adequately enforce authorization checks. The patch introduces improved checks, but until the update is applied a malicious or compromised app could retrieve a full list of local apps, revealing the user’s software usage and potentially exposing sensitive personal habits. This information‑exposure weakness allows unauthorized disclosure of the installed‑app list.

Affected Systems

Apple’s iOS, iPadOS, macOS (Tahoe), tvOS, visionOS, and watchOS versions released before 26.4 are affected. The 26.4 updates for each platform contain the fix that introduces stricter checks to block unauthorized enumeration.

Risk and Exploitability

The CVSS base score of 4 reflects moderate severity, while the EPSS score of less than 1% indicates a low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog, further implying limited threat. Because enumeration occurs only when a local application is present, the attack vector is a malicious or compromised app deployed on the device, not a remote exploit.

Generated by OpenCVE AI on May 12, 2026 at 00:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the operating system to version 26.4 or later on all Apple devices
  • Revoke app permissions that allow enumeration of installed applications where possible
  • Limit the installation of third‑party applications, and monitor for suspicious apps

Generated by OpenCVE AI on May 12, 2026 at 00:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 01:15:00 +0000

Type Values Removed Values Added
Title Installed Application Enumeration Vulnerability on Apple Devices

Mon, 11 May 2026 23:00:00 +0000

Type Values Removed Values Added
Title Installed App Enumeration Vulnerability in Apple Operating Systems
Weaknesses CWE-200
CWE-284

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description This issue was addressed with improved checks. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to enumerate a user's installed apps. This issue was addressed with improved checks. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to enumerate a user's installed apps.
References

Sun, 29 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Title Installed App Enumeration Vulnerability in Apple Operating Systems
Weaknesses CWE-200
CWE-284

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title Application Enumeration Vulnerability
Weaknesses CWE-200

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Title Application Enumeration Vulnerability
Weaknesses CWE-200

Thu, 26 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple ipados
Apple iphone Os
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
Vendors & Products Apple ipados
Apple iphone Os

Thu, 26 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Title Application Enumeration Vulnerability Allowing App to List Installed Apps
Weaknesses CWE-200

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Title Application Enumeration Vulnerability Allowing App to List Installed Apps
Weaknesses CWE-200

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios And Ipados
Apple macos
Apple tvos
Apple visionos
Apple watchos
Vendors & Products Apple
Apple ios And Ipados
Apple macos
Apple tvos
Apple visionos
Apple watchos

Wed, 25 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description This issue was addressed with improved checks. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to enumerate a user's installed apps.
References

Subscriptions

Apple Ios And Ipados Ipados Iphone Os Macos Tvos Visionos Watchos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-05-11T20:07:57.989Z

Reserved: 2026-03-03T16:36:03.975Z

Link: CVE-2026-28882

cve-icon Vulnrichment

Updated: 2026-03-26T14:32:31.356Z

cve-icon NVD

Status : Modified

Published: 2026-03-25T01:17:12.057

Modified: 2026-05-11T21:18:52.537

Link: CVE-2026-28882

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T01:00:04Z

Weaknesses