CVE-2026-28877 - Vulnerability Details - OpenCVE

An authorization issue was addressed with improved state management. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Tahoe 26.4, visionOS 26.4, watchOS 26.4. An app may be able to access sensitive user data.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

Vendors	Products
Apple	Ios And Ipados Macos Visionos Watchos

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Apple	Ios And Ipados Macos Visionos Watchos

References

Link	Providers
https://support.apple.com/en-us/126792
https://support.apple.com/en-us/126794
https://support.apple.com/en-us/126795
https://support.apple.com/en-us/126798
https://support.apple.com/en-us/126799

History

Wed, 25 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Title		Authorization Bypass Allows App to Access Sensitive User Data via Improper State Management
Weaknesses		CWE-285

Wed, 25 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple ios And Ipados Apple macos Apple visionos Apple watchos
Vendors & Products		Apple Apple ios And Ipados Apple macos Apple visionos Apple watchos

Wed, 25 Mar 2026 01:00:00 +0000

Type	Values Removed	Values Added
Description		An authorization issue was addressed with improved state management. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Tahoe 26.4, visionOS 26.4, watchOS 26.4. An app may be able to access sensitive user data.
References		https://support.apple.com/en-us/126792 https://support.apple.com/en-us/126794 https://support.apple.com/en-us/126795 https://support.apple.com/en-us/126798 https://support.apple.com/en-us/126799

MITRE

Status: PUBLISHED

Assigner: apple

Published: 2026-03-25T00:32:00.502Z

Updated: 2026-03-25T00:32:00.502Z

Reserved: 2026-03-03T16:36:03.974Z

Link: CVE-2026-28877

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-03-25T01:17:11.517

Modified: 2026-03-25T15:41:33.977

Link: CVE-2026-28877

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-25T20:56:29Z

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "iOS and iPadOS", "source": "cna", "vendor": "Apple"}, "product": "ios_and_ipados", "vendor": "apple"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,15.7.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "macOS", "source": "cna", "vendor": "Apple"}, "product": "macos", "vendor": "apple"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "visionOS", "source": "cna", "vendor": "Apple"}, "product": "visionos", "vendor": "apple"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "watchOS", "source": "cna", "vendor": "Apple"}, "product": "watchos", "vendor": "apple"}], "analysis": {"en": {"generated_at": "2026-03-25T04:06:08.191042+00:00", "value": {"mitigation_remediation": ["Apply the latest OS updates: iOS 26.4, iPadOS 26.4, macOS Sequoia 15.7.5, macOS Tahoe 26.4, visionOS 26.4, or watchOS 26.4", "Confirm successful installation by checking the version number in the system settings or referencing Apple support documentation"], "summary": {"action": "Patch", "impact": "Unauthorized Access to Sensitive User Data"}, "threat_synthesis": {"affected_systems": "Devices running Apple iOS, iPadOS, macOS, visionOS, or watchOS that have not been updated to the specified fixed versions are vulnerable. The update releases that address the flaw include iOS 26.4, iPadOS 26.4, macOS Sequoia 15.7.5, macOS Tahoe 26.4, visionOS 26.4, and watchOS 26.4.", "description_and_impact": "A flaw in the way Apple operating systems manage application state allows an application to bypass authorization checks and read data that should be protected. The vulnerability is classed as an authorization bypass, enabling a malicious or untrusted app to obtain sensitive user information. The impact is a compromise of confidentiality for any data accessible through the affected systems.", "risk_and_exploitability": "The severity score for this issue is not publicly reported and no exploit probability score is available. This vulnerability is not listed in the CISA known exploited vulnerabilities catalog, which suggests there is no documented large\u2011scale exploitation to date. Exploitation would likely require an attacker to develop or distribute a malicious application that triggers the state\u2011management flaw to gain unauthorized access to user data."}}}}, "created": "2026-03-25T11:36:45.625892+00:00", "title": "Authorization Bypass Allows App to Access Sensitive User Data via Improper State Management", "updated": "2026-03-25T20:56:29.266599+00:00", "vendors": ["apple", "apple$PRODUCT$ios_and_ipados", "apple$PRODUCT$macos", "apple$PRODUCT$visionos", "apple$PRODUCT$watchos"], "weaknesses": ["CWE-285"]}