CVE-2026-28864 Overview
CVE-2026-28864 is an authorization vulnerability (CWE-863) affecting multiple Apple operating systems. A local attacker may gain access to a user's Keychain items due to insufficient permissions checking. Apple addressed the issue with improved permissions validation across iOS, iPadOS, macOS, visionOS, and watchOS.
Exploitation requires local access and user interaction, limiting the practical attack surface. The vulnerability does not enable remote compromise or privilege escalation beyond Keychain data exposure.
Critical Impact
A local attacker who meets the preconditions can read sensitive Keychain entries, potentially exposing stored credentials, tokens, and certificates.
Affected Products
- Apple iOS and iPadOS prior to 18.7.7 and prior to 26.4
- Apple macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, and macOS Tahoe 26.4
- Apple visionOS 26.4 and watchOS 26.4
Discovery Timeline
- 2026-03-25 - CVE-2026-28864 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-28864
Vulnerability Analysis
The vulnerability resides in the Keychain access control logic across Apple platforms. The Keychain stores credentials, cryptographic keys, certificates, and other sensitive items. Apple's advisories describe the root cause as inadequate permissions checking when local processes request access to Keychain entries.
The issue is classified under CWE-863 (Incorrect Authorization). Authorization checks failed to fully validate whether the requesting context was entitled to retrieve the targeted Keychain items. Apple resolved the flaw by tightening permission validation paths before returning Keychain data.
No public exploit is available, and CISA has not added the issue to the Known Exploited Vulnerabilities catalog. The EPSS probability is 0.01%, reflecting low predicted exploitation activity.
Root Cause
The defect stems from missing or incomplete authorization checks in Keychain item retrieval paths. A local, unprivileged process could request items it should not be permitted to access. The fix introduces stricter permission validation before items are returned to the caller.
Attack Vector
An attacker requires local code execution on the device and user interaction to trigger the vulnerable path. The attack does not require prior authentication. Confidentiality impact is limited to Keychain items accessible through the flawed path; integrity and availability are not affected.
The vulnerability is described in prose only — Apple has not published technical exploitation details. See the Apple Support Document #126792 for additional vendor information.
Detection Methods for CVE-2026-28864
Indicators of Compromise
- Unexpected processes invoking Keychain Services APIs such as SecItemCopyMatching outside of normal application behavior
- Unsigned or recently installed binaries reading Keychain items shortly after user interaction prompts
- Anomalous access patterns to login.keychain-db or related Keychain data stores on macOS endpoints
Detection Strategies
- Inventory endpoints running unpatched iOS, iPadOS, macOS, visionOS, or watchOS builds listed in the affected versions
- Correlate process telemetry with Keychain API usage to identify non-allowlisted applications accessing credential storage
- Monitor for local privilege boundary crossings preceding Keychain queries
Monitoring Recommendations
- Enable endpoint telemetry that captures process execution, code signing status, and sensitive API usage on macOS hosts
- Track MDM compliance reports to confirm iOS, iPadOS, watchOS, and visionOS devices have installed the fixed builds
- Alert on locally executed scripts or binaries that query Keychain entries belonging to other applications
How to Mitigate CVE-2026-28864
Immediate Actions Required
- Update affected devices to iOS 18.7.7, iPadOS 18.7.7, iOS 26.4, iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, visionOS 26.4, or watchOS 26.4
- Use MDM policies to enforce minimum OS versions across managed Apple fleets
- Audit installed third-party applications that request Keychain access entitlements
Patch Information
Apple released fixes in the OS versions listed above. Reference the vendor advisories: Apple Support Document #126792, Apple Support Document #126793, Apple Support Document #126794, Apple Support Document #126795, Apple Support Document #126796, Apple Support Document #126798, and Apple Support Document #126799.
Workarounds
- Restrict installation of untrusted applications and profiles on affected devices until patches are applied
- Require user authentication for sensitive Keychain items by configuring stricter access control on stored credentials
- Rotate credentials and tokens stored in Keychain if local compromise is suspected on an unpatched device
# Verify macOS build version against the patched releases
sw_vers -productVersion
# Example MDM compliance query for iOS/iPadOS device OS version
profiles status -type enrollment
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

