CVE-2026-28907 Overview
CVE-2026-28907 is an input validation vulnerability [CWE-20] affecting Apple's web content processing across multiple operating systems. Processing maliciously crafted web content may prevent Content Security Policy (CSP) from being enforced. Apple addressed the issue with improved input validation in Safari 26.5, iOS 18.7.9, iPadOS 18.7.9, iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5. The flaw carries a CVSS score of 8.1 and requires user interaction over the network, with high impact on confidentiality and integrity.
Critical Impact
Attackers can bypass Content Security Policy enforcement, enabling cross-site scripting and data exfiltration through otherwise blocked content sources.
Affected Products
- Apple iOS and iPadOS (prior to 18.7.9 and 26.5)
- Apple macOS Tahoe (prior to 26.5) and Safari (prior to 26.5)
- Apple tvOS, visionOS, and watchOS (prior to 26.5)
Discovery Timeline
- 2026-05-11 - CVE-2026-28907 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-28907
Vulnerability Analysis
The vulnerability resides in how Apple's web rendering stack validates input when applying Content Security Policy directives. Maliciously crafted web content can manipulate parsing logic to cause the browser to skip CSP enforcement. When CSP is bypassed, an attacker can load script, frame, or connect sources that the policy was intended to block.
The issue requires user interaction such as visiting an attacker-controlled page or rendering hostile content embedded in a third-party site. Once CSP is suppressed, downstream protections against cross-site scripting (XSS), data exfiltration, and clickjacking are weakened. Apple categorized the fix under improved input validation, indicating malformed inputs were not properly sanitized before policy evaluation. The EPSS probability stands at 0.149%.
Root Cause
The root cause is improper input validation [CWE-20] in the component responsible for processing CSP-relevant web content. Specific parsing paths accept malformed values that subsequently disable or skip policy checks rather than rejecting the input.
Attack Vector
An attacker hosts or injects malicious web content and lures the victim to render it in an unpatched Apple browser or WebView. The crafted content triggers the parsing flaw, allowing scripts or resources blocked by CSP to execute. Successful exploitation can lead to credential theft, session hijacking, or arbitrary script execution within the victim origin.
No public proof-of-concept code is available for this vulnerability. Refer to the Apple Security Document #127110 for vendor guidance.
Detection Methods for CVE-2026-28907
Indicators of Compromise
- Unexpected script execution from origins not permitted by the deployed CSP
- Browser telemetry showing CSP report-uri or report-to violations followed by successful resource loads
- Renderer process loading external resources despite restrictive Content-Security-Policy headers
Detection Strategies
- Monitor Apple endpoints for OS and Safari build versions below the patched releases listed in the Apple advisories
- Aggregate CSP violation reports server-side and alert on anomalies where blocked content nonetheless triggers downstream activity
- Inspect web proxy logs for connections to suspicious domains originating from Safari or WebKit-based applications shortly after page visits
Monitoring Recommendations
- Track endpoint compliance with the patched OS versions (iOS/iPadOS 18.7.9 or 26.5, macOS Tahoe 26.5, and equivalents)
- Enable CSP reporting endpoints on internal web applications to surface bypass attempts
- Correlate browsing telemetry with EDR process activity to spot post-exploitation behavior such as credential access
How to Mitigate CVE-2026-28907
Immediate Actions Required
- Update all Apple devices to Safari 26.5, iOS/iPadOS 18.7.9 or 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5
- Inventory WebKit-based applications and confirm they consume the patched system WebKit framework
- Prioritize patching for users who handle sensitive credentials or browse untrusted content
Patch Information
Apple released fixes across its product line. Consult the relevant advisory for each platform: Apple Security Document #127110, #127111, #127115, #127118, #127119, #127120, and #127121.
Workarounds
- Restrict access to untrusted websites through enterprise web filtering until patching completes
- Enforce strict CSP report-only monitoring on internal applications to detect policy violations
- Deploy mobile device management (MDM) policies that block deferral of OS updates on managed Apple devices
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
