The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-28866

CVE-2026-28866: Apple iPadOS Information Disclosure Flaw

CVE-2026-28866 is an information disclosure vulnerability in Apple iPadOS caused by improper symlink validation. Apps may access sensitive user data. This article covers technical details, affected versions, and patches.

Published: March 27, 2026

CVE-2026-28866 Overview

CVE-2026-28866 is a symlink validation vulnerability affecting multiple Apple operating systems including iOS, iPadOS, and macOS. The vulnerability stems from improper validation of symbolic links, which could allow a malicious application to access sensitive user data by exploiting the flawed symlink handling mechanism. Apple has addressed this issue with improved validation of symlinks across all affected platforms.

Critical Impact

A locally installed malicious application could exploit this vulnerability to bypass file system protections and access sensitive user data without proper authorization.

Affected Products

  • Apple iOS versions prior to 18.7.7 and 26.4
  • Apple iPadOS versions prior to 18.7.7 and 26.4
  • Apple macOS Sequoia versions prior to 15.7.5, macOS Sonoma versions prior to 14.8.5, and macOS Tahoe versions prior to 26.4

Discovery Timeline

  • 2026-03-25 - CVE-2026-28866 published to NVD
  • 2026-03-25 - Last updated in NVD database

Technical Details for CVE-2026-28866

Vulnerability Analysis

This vulnerability is classified under CWE-59 (Improper Link Resolution Before File Access), commonly known as a symlink attack or symlink following vulnerability. The flaw exists in how Apple's operating systems handle symbolic link validation before allowing file access operations.

When an application creates or follows a symbolic link, the operating system should properly validate that the link target is within the expected boundaries and that the requesting process has appropriate permissions to access the target. In vulnerable versions of iOS, iPadOS, and macOS, this validation was insufficient, allowing applications to potentially traverse directory structures and access files outside their intended sandbox.

The local attack vector means that an attacker would need to have an application installed on the target device. This application could then exploit the symlink vulnerability to read sensitive user data that would normally be protected by the operating system's file permission model.

Root Cause

The root cause of CVE-2026-28866 lies in the insufficient validation of symbolic links during file system operations. The operating system failed to properly resolve and verify symlink targets before granting file access, allowing malicious applications to use crafted symlinks to escape their sandbox restrictions. This represents a classic Time-of-Check Time-of-Use (TOCTOU) style vulnerability where the symlink target could be manipulated between validation and actual access.

Attack Vector

Exploitation of this vulnerability requires local access via a malicious application installed on the target device. The attack flow would typically involve:

  1. A malicious application creates a symbolic link pointing to a sensitive file or directory
  2. The application triggers a file operation that follows the symlink
  3. Due to improper validation, the operating system allows access to the target file
  4. The malicious application can then read sensitive user data that should be protected

The vulnerability does not require user interaction or special privileges to exploit, making it relatively straightforward for a malicious app to leverage once installed on a device.

Detection Methods for CVE-2026-28866

Indicators of Compromise

  • Unusual file access patterns from applications attempting to read files outside their designated container directories
  • Presence of suspicious symbolic links in temporary directories or application data folders pointing to sensitive system or user data locations
  • Application logs showing repeated attempts to access protected user data directories
  • Anomalous file system activity from sandboxed applications

Detection Strategies

  • Monitor for applications creating symbolic links that point to sensitive directories such as /var/mobile/Library/, ~/Library/, or other protected paths
  • Implement file integrity monitoring to detect unexpected symlink creation in application sandboxes
  • Review application behavior for attempts to access files via symlink chains that cross security boundaries
  • Deploy endpoint detection solutions capable of identifying symlink-based sandbox escape attempts

Monitoring Recommendations

  • Enable enhanced logging for file system operations on critical systems
  • Configure alerts for symlink creation events in sensitive directories
  • Monitor application behavior post-installation for suspicious file access patterns
  • Implement behavioral analysis to detect applications attempting to access data outside their expected scope

How to Mitigate CVE-2026-28866

Immediate Actions Required

  • Update all Apple devices to the latest patched versions: iOS 18.7.7, iOS 26.4, iPadOS 18.7.7, iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, or macOS Tahoe 26.4
  • Review installed applications and remove any untrusted or suspicious apps
  • Enable automatic updates to ensure timely delivery of future security patches
  • For enterprise environments, prioritize patch deployment for devices containing sensitive data

Patch Information

Apple has released security updates addressing this vulnerability across all affected platforms. The patches implement improved validation of symbolic links to prevent unauthorized file access. Detailed information is available in the following Apple Security Advisories:

  • Apple Support Advisory #126792
  • Apple Support Advisory #126793
  • Apple Support Advisory #126794
  • Apple Support Advisory #126795
  • Apple Support Advisory #126796

Workarounds

  • Limit application installation to trusted sources such as the official App Store and verified enterprise distribution channels
  • Implement Mobile Device Management (MDM) policies to restrict application installation on corporate devices
  • For macOS systems, consider enabling additional security features such as Gatekeeper and System Integrity Protection (SIP)
  • Monitor devices for unusual application behavior until patches can be applied
bash
# Verify macOS version to confirm patch status
sw_vers

# Check for pending software updates on macOS
softwareupdate --list

# Install available security updates
softwareupdate --install --all

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeInformation Disclosure
  • Vendor/TechApple Ipados
  • SeverityMEDIUM
  • CVSS Score6.2
  • EPSS Probability0.01%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-59
  • Vendor Resources
  • Apple Support Advisory #126792
  • Apple Support Advisory #126793
  • Apple Support Advisory #126794
  • Apple Support Advisory #126795
  • Apple Support Advisory #126796
  • Related CVEs
  • CVE-2024-54492: Apple iPadOS Information Disclosure Flaw
  • CVE-2026-28877: Apple iPadOS Information Disclosure Flaw
  • CVE-2026-20694: Apple iPadOS Information Disclosure Flaw
  • CVE-2026-20692: Apple iPadOS Privacy Information Disclosure
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English