A permissions flaw in the Apple web browser stack allows a malicious web page to access and leak sensitive data. This occurs when a site is visited, giving the browser more privileges than intended and enabling disclosure of private information such as cookies, credentials, or other local data. The weakness is a classic permissions problem and could compromise user privacy if exploited.

Apple Safari, iOS, iPadOS, and macOS on the Tahoe platform are affected. The flaw is resolved in Safari 26.5.2, iOS 26.5.2, iPadOS 26.5.2, and macOS Tahoe 26.5.2, each of which removes the excessive access that permits data leakage.

Exploit evidence is not reported; EPSS is not available and the vulnerability is not listed in CISA’s KEV catalog. The risk remains that an attacker can craft a malicious web page that, when loaded in the affected browsers, reads sensitive data and transmits it out. The attack requires no special privileges beyond visiting a URL, making it potentially scalable for distributed web-based attacks. The absence of exploit data suggests limited current exploitation, but the intrinsic possibility of data exposure warrants prompt patching.