A permissions flaw in Apple operating systems allows any installed application to override user‑defined privacy settings and access personal data that the user intended to keep hidden. The vulnerability stems from insufficient enforcement of system restrictions on sensitive data access, and it compromises the confidentiality guarantees that devices are expected to provide. The issue was remedied by adding additional restrictions in version 26.5 of iOS, iPadOS, macOS, visionOS, and watchOS, after which the bypass can no longer be performed through a normal application.

All Apple platforms that were running a release older than 26.5—iOS, iPadOS, macOS, visionOS, and watchOS—are affected. Once Apple rolled out the 26.5 update, the vulnerability was patched and the additional permission checks were enforced. Devices that are still on earlier releases remain at risk until they are upgraded.

The EPSS score of < 1 % and the fact that the vulnerability is not listed in the CISA KEV catalog indicate that public exploitation is currently unlikely. With a CVSS of 5.5 the flaw is classified as moderate severity; the primary risk is the ability to access or share private information beyond the user’s consent. Based on the description, it is inferred that the attack vector is app‑based—an attacker would need to either create a malicious application or compromise an existing one with elevated permissions to exploit the flaw. No additional conditions beyond the presence of such an application are stated, so the exploitation path is straightforward once the prerequisite is met.