CVE-2026-28873 Overview
CVE-2026-28873 is an authorization vulnerability affecting Apple iOS and iPadOS. The flaw allows an application to circumvent App Privacy Report logging. App Privacy Report is the iOS feature that records which apps access sensitive data and contact which domains. An app exploiting this issue can perform privacy-relevant operations without those operations being recorded for the user to review.
Apple addressed the issue with additional entitlement checks. Fixes are available in iOS 18.7.9, iPadOS 18.7.9, iOS 26.4, and iPadOS 26.4. The weakness is classified as [CWE-863: Incorrect Authorization].
Critical Impact
A malicious or compromised app can hide its access to sensitive data and network destinations from the user-facing App Privacy Report, undermining transparency controls on iOS and iPadOS devices.
Affected Products
- Apple iOS versions prior to 18.7.9
- Apple iPadOS versions prior to 18.7.9
- Apple iOS and iPadOS versions prior to 26.4
Discovery Timeline
- 2026-05-11 - CVE-2026-28873 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-28873
Vulnerability Analysis
The vulnerability resides in the App Privacy Report subsystem of iOS and iPadOS. App Privacy Report records sensor access, location queries, contacts and photo access, and network domains contacted by installed apps. Users rely on these logs to audit app behavior and detect privacy abuse.
The flaw allows an app to perform tracked operations without generating entries in the privacy log. Apple's advisory describes the root cause as insufficient entitlement validation in the components responsible for logging privacy-relevant events. The fix adds explicit entitlement checks to ensure callers cannot bypass the logging path.
The vulnerability does not directly grant access to data the app would not otherwise reach. Its impact is on visibility and accountability. A malicious app combining this issue with other access paths can operate covertly against the device owner.
Root Cause
The component logging App Privacy Report events did not adequately verify the entitlements of the calling process. Code paths reachable by an app could skip or suppress event recording. This is consistent with [CWE-863], where an authorization decision is performed against incomplete or incorrect criteria.
Attack Vector
Exploitation requires an attacker-controlled app on the device. The app invokes the affected code path to perform privacy-sensitive operations while suppressing log entries. No user interaction beyond installing the app is required. The network attack vector reflects that the app can subsequently contact remote endpoints whose access remains hidden from the user.
The vulnerability mechanism centers on missing entitlement enforcement within the privacy logging pipeline. See the Apple Support Article #126792 and Apple Support Article #127111 for vendor details.
Detection Methods for CVE-2026-28873
Indicators of Compromise
- Apps observed contacting unexpected network destinations that do not appear in the App Privacy Report for the same time window
- Discrepancies between network telemetry collected by enterprise MDM or VPN solutions and on-device App Privacy Report entries
- Installed apps requesting entitlements unrelated to their stated functionality
Detection Strategies
- Cross-correlate on-device App Privacy Report data with network-layer logs from enterprise proxies or DNS resolvers to surface gaps
- Inventory installed iOS and iPadOS versions through MDM and flag devices running builds earlier than 18.7.9 or 26.4
- Review apps distributed outside the App Store or via enterprise provisioning for unusual entitlement requests
Monitoring Recommendations
- Forward MDM compliance and OS version telemetry to a centralized analytics platform for continuous version tracking
- Monitor DNS and TLS SNI logs for connections originating from managed iOS devices to identify destinations not reflected in App Privacy Report
- Alert on newly sideloaded or enterprise-signed apps following published exploitation research
How to Mitigate CVE-2026-28873
Immediate Actions Required
- Update all iPhone and iPad devices to iOS 18.7.9, iPadOS 18.7.9, iOS 26.4, or iPadOS 26.4 or later
- Use MDM to enforce minimum OS versions and report on non-compliant devices
- Audit installed third-party apps, especially those installed via enterprise provisioning or TestFlight
Patch Information
Apple released fixes in iOS 18.7.9 and iPadOS 18.7.9, and in iOS 26.4 and iPadOS 26.4. The patch introduces additional entitlement checks within the App Privacy Report logging path. Refer to Apple Support Article #126792 and Apple Support Article #127111 for the official advisories and update instructions.
Workarounds
- No vendor-supplied workaround exists; apply the official update
- Restrict app installation to vetted sources and enforce App Store-only installation through MDM policy where feasible
- Rely on network-side logging via enterprise proxies or DNS filtering to retain visibility into app traffic until devices are patched
# Example MDM compliance query (Jamf Pro Classic API) to list devices below the patched build
curl -s -u "$JAMF_USER:$JAMF_PASS" \
-H "Accept: application/xml" \
"$JAMF_URL/JSSResource/mobiledevices/subset/General" \
| xmllint --xpath "//mobile_device[os_version<'18.7.9']/name/text()" -
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
