CVE-2026-28864 Overview
CVE-2026-28864 is an Incorrect Authorization vulnerability (CWE-863) affecting multiple Apple operating systems that allows a local attacker to gain unauthorized access to user's Keychain items. The vulnerability stems from insufficient permissions checking in the Keychain subsystem, which stores sensitive credentials, passwords, certificates, and cryptographic keys.
Apple addressed this security flaw with improved permissions checking across their entire ecosystem, including iOS, iPadOS, macOS, visionOS, and watchOS. Organizations and individuals using Apple devices should prioritize updating to patched versions to protect their stored credentials.
Critical Impact
Local attackers can access sensitive Keychain items including stored passwords, authentication tokens, and cryptographic keys, potentially compromising user accounts and encrypted data.
Affected Products
- Apple iOS (versions prior to 18.7.7 and 26.4)
- Apple iPadOS (versions prior to 18.7.7 and 26.4)
- Apple macOS Sequoia (versions prior to 15.7.5)
- Apple macOS Sonoma (versions prior to 14.8.5)
- Apple macOS Tahoe (versions prior to 26.4)
- Apple visionOS (versions prior to 26.4)
- Apple watchOS (versions prior to 26.4)
Discovery Timeline
- 2026-03-25 - CVE-2026-28864 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-28864
Vulnerability Analysis
This vulnerability is classified as Incorrect Authorization (CWE-863), which occurs when software does not properly verify that a user is authorized to access a resource or perform an action. In this case, the Apple Keychain subsystem failed to adequately validate permissions before granting access to stored items.
The Keychain is a critical security component in Apple's ecosystem, responsible for securely storing sensitive information including passwords, encryption keys, certificates, and secure notes. A permissions bypass in this component could allow unauthorized processes or users to retrieve credentials they should not have access to.
The attack requires local access to the target device and user interaction, which limits the attack surface but still presents a significant risk in shared computing environments or scenarios where an attacker has already established a foothold on the system.
Root Cause
The root cause of CVE-2026-28864 lies in insufficient permissions checking within the Keychain access control mechanisms. The vulnerability allowed processes to bypass the normal authorization flow that should verify whether a requesting application or user has the appropriate entitlements to access specific Keychain items.
Apple's security model relies on proper access control list (ACL) verification and entitlement checking before granting Keychain access. The flaw indicates a gap in this verification logic that could be exploited to circumvent these protections.
Attack Vector
The exploitation of this vulnerability requires local access to the affected device. An attacker with physical access or through a malicious application installed on the device could leverage this flaw to extract sensitive Keychain items without proper authorization.
The attack scenario may involve a malicious application that requests Keychain access and exploits the permissions checking weakness to retrieve credentials belonging to other applications or system components. This could enable credential theft, session hijacking, or further privilege escalation.
Since the vulnerability requires user interaction (UI:R in the CVSS vector), the attack may depend on social engineering to convince the user to run a malicious application or perform specific actions that trigger the vulnerability.
Detection Methods for CVE-2026-28864
Indicators of Compromise
- Unusual Keychain access attempts from untrusted or unsigned applications
- System logs showing abnormal Keychain queries from processes that should not require credential access
- Unexpected authentication token usage or credential-based access from unknown sources
- Applications requesting Keychain access without legitimate business need
Detection Strategies
- Monitor system logs for securityd and Keychain-related events showing access attempts from unauthorized processes
- Implement application allowlisting to restrict which apps can interact with Keychain subsystems
- Deploy endpoint detection solutions that can identify anomalous Keychain access patterns
- Review Mobile Device Management (MDM) logs for unusual credential access events on managed devices
Monitoring Recommendations
- Enable unified logging for security subsystems and review security and securityd log streams
- Configure alerts for Keychain access attempts from newly installed or modified applications
- Monitor for bulk credential access patterns that could indicate credential harvesting
- Implement SentinelOne Singularity for real-time behavioral analysis of Keychain interactions
How to Mitigate CVE-2026-28864
Immediate Actions Required
- Update all affected Apple devices to the latest patched versions immediately
- Review installed applications and remove any untrusted or unnecessary software
- Enable automatic updates to ensure timely deployment of future security patches
- Audit Keychain contents and rotate credentials that may have been exposed on unpatched devices
Patch Information
Apple has released security updates addressing this vulnerability across all affected platforms. Refer to the official Apple Security Advisories for detailed patching guidance:
- Apple Security Advisory #126792
- Apple Security Advisory #126793
- Apple Security Advisory #126794
- Apple Security Advisory #126795
- Apple Security Advisory #126796
- Apple Security Advisory #126798
- Apple Security Advisory #126799
Update to the following fixed versions:
- iOS 18.7.7 or 26.4 and iPadOS 18.7.7 or 26.4
- macOS Sequoia 15.7.5
- macOS Sonoma 14.8.5
- macOS Tahoe 26.4
- visionOS 26.4
- watchOS 26.4
Workarounds
- Restrict application installation to trusted sources (App Store only) via MDM policies
- Limit physical access to devices until patches can be applied
- Consider temporarily disabling third-party Keychain integration for critical systems
- Implement network segmentation to limit lateral movement if credentials are compromised
# Check current macOS version
sw_vers -productVersion
# Enable automatic updates via command line
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool true
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -bool true
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
