Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-28864

CVE-2026-28864: Apple iPadOS Privilege Escalation Flaw

CVE-2026-28864 is a privilege escalation vulnerability in Apple iPadOS that allows local attackers to access user Keychain items. This article covers the technical details, affected versions, and mitigation.

Updated:

CVE-2026-28864 Overview

CVE-2026-28864 is an authorization vulnerability (CWE-863) affecting multiple Apple operating systems. A local attacker may gain access to a user's Keychain items due to insufficient permissions checking. Apple addressed the issue with improved permissions validation across iOS, iPadOS, macOS, visionOS, and watchOS.

Exploitation requires local access and user interaction, limiting the practical attack surface. The vulnerability does not enable remote compromise or privilege escalation beyond Keychain data exposure.

Critical Impact

A local attacker who meets the preconditions can read sensitive Keychain entries, potentially exposing stored credentials, tokens, and certificates.

Affected Products

  • Apple iOS and iPadOS prior to 18.7.7 and prior to 26.4
  • Apple macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, and macOS Tahoe 26.4
  • Apple visionOS 26.4 and watchOS 26.4

Discovery Timeline

  • 2026-03-25 - CVE-2026-28864 published to NVD
  • 2026-03-25 - Last updated in NVD database

Technical Details for CVE-2026-28864

Vulnerability Analysis

The vulnerability resides in the Keychain access control logic across Apple platforms. The Keychain stores credentials, cryptographic keys, certificates, and other sensitive items. Apple's advisories describe the root cause as inadequate permissions checking when local processes request access to Keychain entries.

The issue is classified under CWE-863 (Incorrect Authorization). Authorization checks failed to fully validate whether the requesting context was entitled to retrieve the targeted Keychain items. Apple resolved the flaw by tightening permission validation paths before returning Keychain data.

No public exploit is available, and CISA has not added the issue to the Known Exploited Vulnerabilities catalog. The EPSS probability is 0.01%, reflecting low predicted exploitation activity.

Root Cause

The defect stems from missing or incomplete authorization checks in Keychain item retrieval paths. A local, unprivileged process could request items it should not be permitted to access. The fix introduces stricter permission validation before items are returned to the caller.

Attack Vector

An attacker requires local code execution on the device and user interaction to trigger the vulnerable path. The attack does not require prior authentication. Confidentiality impact is limited to Keychain items accessible through the flawed path; integrity and availability are not affected.

The vulnerability is described in prose only — Apple has not published technical exploitation details. See the Apple Support Document #126792 for additional vendor information.

Detection Methods for CVE-2026-28864

Indicators of Compromise

  • Unexpected processes invoking Keychain Services APIs such as SecItemCopyMatching outside of normal application behavior
  • Unsigned or recently installed binaries reading Keychain items shortly after user interaction prompts
  • Anomalous access patterns to login.keychain-db or related Keychain data stores on macOS endpoints

Detection Strategies

  • Inventory endpoints running unpatched iOS, iPadOS, macOS, visionOS, or watchOS builds listed in the affected versions
  • Correlate process telemetry with Keychain API usage to identify non-allowlisted applications accessing credential storage
  • Monitor for local privilege boundary crossings preceding Keychain queries

Monitoring Recommendations

  • Enable endpoint telemetry that captures process execution, code signing status, and sensitive API usage on macOS hosts
  • Track MDM compliance reports to confirm iOS, iPadOS, watchOS, and visionOS devices have installed the fixed builds
  • Alert on locally executed scripts or binaries that query Keychain entries belonging to other applications

How to Mitigate CVE-2026-28864

Immediate Actions Required

  • Update affected devices to iOS 18.7.7, iPadOS 18.7.7, iOS 26.4, iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, visionOS 26.4, or watchOS 26.4
  • Use MDM policies to enforce minimum OS versions across managed Apple fleets
  • Audit installed third-party applications that request Keychain access entitlements

Patch Information

Apple released fixes in the OS versions listed above. Reference the vendor advisories: Apple Support Document #126792, Apple Support Document #126793, Apple Support Document #126794, Apple Support Document #126795, Apple Support Document #126796, Apple Support Document #126798, and Apple Support Document #126799.

Workarounds

  • Restrict installation of untrusted applications and profiles on affected devices until patches are applied
  • Require user authentication for sensitive Keychain items by configuring stricter access control on stored credentials
  • Rotate credentials and tokens stored in Keychain if local compromise is suspected on an unpatched device
bash
# Verify macOS build version against the patched releases
sw_vers -productVersion

# Example MDM compliance query for iOS/iPadOS device OS version
profiles status -type enrollment

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.