Description
This issue was addressed by adding an additional prompt for user consent. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, visionOS 26.5. An app may be able to access user-sensitive data.
Published: 2026-05-11
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from a missing user‑consent prompt that allows an application to request and retrieve data that is normally protected by the operating system’s privacy controls. Because the OS does not present a prompt, an app can read privileged data without the user’s explicit approval, resulting in a privacy violation. The weakness is an access‑control flaw, as described by CWE-284, and can lead to unauthorized disclosure of sensitive information.

Affected Systems

Apple operating systems running before the patches are affected. Specifically, iOS 18.7.9 and 26.5, iPadOS 18.7.9 and 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, and visionOS 26.5 are vulnerable; later releases the added consent prompt.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, and the EPSS score of < 1% and absence from the CISA KEV catalog suggest that exploitation has not yet been widespread. The flaw is best exploited locally by a malicious or compromised application installed on the device; network‑based exploitation is not indicated. Because the issue is an access‑control failure rather than code execution, the risk is primarily privacy intrusion.

Generated by OpenCVE AI on May 13, 2026 at 00:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest versions of iOS, iPadOS, macOS, and visionOS that include the mandatory consent prompt: iOS 18.7.9 or later, iPadOS 18.7.9 or later, macOS Sequoia 15.7.7 or later, macOS Sonoma 14.8.7 or later, macOS Tahoe 26.5 or later, visionOS 26.5 or later.
  • Restrict installation of applications from unknown or untrusted developers until the OS update is available to reduce the chance that a malicious app can read protected data without consent.
  • On managed devices, configure the device‑management solution to block apps that request sensitive data from protected sources without explicit user consent until the system patch is applied.

Generated by OpenCVE AI on May 13, 2026 at 00:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 01:15:00 +0000

Type Values Removed Values Added
Title Missing User Consent Prompt Enables Unauthorized Access to Sensitive Data

Tue, 12 May 2026 23:15:00 +0000

Type Values Removed Values Added
Title Unauthorized Data Access via Missing Consent Prompt
Weaknesses CWE-285

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios And Ipados
Apple macos
Apple visionos
Vendors & Products Apple
Apple ios And Ipados
Apple macos
Apple visionos

Mon, 11 May 2026 22:45:00 +0000

Type Values Removed Values Added
Title Unauthorized Data Access via Missing Consent Prompt
Weaknesses CWE-284
CWE-285

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description This issue was addressed by adding an additional prompt for user consent. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, visionOS 26.5. An app may be able to access user-sensitive data.
References

Subscriptions

Apple Ios And Ipados Macos Visionos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-05-12T18:08:21.158Z

Reserved: 2026-03-03T16:36:03.995Z

Link: CVE-2026-28993

cve-icon Vulnrichment

Updated: 2026-05-12T18:08:13.915Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-11T21:18:59.220

Modified: 2026-05-12T18:16:50.160

Link: CVE-2026-28993

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T01:00:23Z

Weaknesses