Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-28914

CVE-2026-28914: Apple macOS Gatekeeper Bypass Vulnerability

CVE-2026-28914 is a Gatekeeper bypass flaw in Apple macOS that allows malicious ZIP archives to evade security checks. This article covers the logic issue, affected macOS versions, security impact, and mitigation.

Published:

CVE-2026-28914 Overview

CVE-2026-28914 is a logic flaw in Apple macOS that allows a maliciously crafted ZIP archive to bypass Gatekeeper checks. Gatekeeper enforces code-signing and notarization policies on downloaded content. By exploiting improper file handling during archive processing, an attacker can deliver unsigned or unnotarized payloads that execute without the expected security prompts. Apple fixed the issue in macOS Tahoe 26.5. The vulnerability is tracked under [CWE-358: Improperly Implemented Security Check for Standard].

Critical Impact

A crafted ZIP archive can bypass Gatekeeper, enabling execution of untrusted content on macOS endpoints and undermining the operating system's primary defense against malicious downloads.

Affected Products

  • Apple macOS versions prior to macOS Tahoe 26.5
  • Systems relying on Gatekeeper for code-signing and notarization enforcement
  • Endpoints that process ZIP archives from untrusted sources (email, browsers, messaging)

Discovery Timeline

  • 2026-05-11 - CVE-2026-28914 published to NVD
  • 2026-05-14 - Last updated in NVD database

Technical Details for CVE-2026-28914

Vulnerability Analysis

The flaw resides in how macOS handles file extraction from ZIP archives. Gatekeeper relies on the com.apple.quarantine extended attribute to identify content downloaded from untrusted sources. When a user opens quarantined content, Gatekeeper validates code signatures and notarization tickets before permitting execution. The logic issue in CVE-2026-28914 allows specially constructed ZIP archives to evade these checks during extraction or launch, so payloads that would otherwise be blocked run without verification.

Exploitation requires user interaction. A victim must download the crafted archive and open the extracted content. Successful exploitation does not directly impact confidentiality or availability, but it enables high-impact integrity violations because untrusted code executes with the user's privileges.

Root Cause

The defect is an improperly implemented security check during archive handling. Apple addressed it with improved file handling in macOS Tahoe 26.5. The underlying weakness, [CWE-358], indicates that the standard Gatekeeper enforcement path failed to apply correctly to certain ZIP archive structures, leaving the integrity boundary intact in code but bypassable in practice.

Attack Vector

An attacker crafts a ZIP archive whose internal structure causes macOS to omit or mishandle quarantine propagation or signature verification on the extracted contents. The archive is delivered through phishing, drive-by download, or supply-chain distribution. When the user extracts and launches the embedded payload, Gatekeeper does not block or warn, and the code executes as if it were trusted. Refer to the Apple Support Article for vendor details.

Detection Methods for CVE-2026-28914

Indicators of Compromise

  • Execution of unsigned or non-notarized binaries originating from extracted ZIP archives
  • Files lacking the com.apple.quarantine extended attribute despite originating from a downloaded archive
  • ZIP archives with anomalous central directory structures, symlinks, or unusual entry naming conventions

Detection Strategies

  • Monitor process creation events where the parent is an archive utility such as Archive Utility.app or unzip and the child is an unsigned Mach-O binary
  • Audit extended attributes on newly created files using xattr -l to verify quarantine propagation from parent archives
  • Inspect ZIP archives delivered via email or web gateways for nested executables, AppleDouble metadata, or symlinks that point outside the extraction root

Monitoring Recommendations

  • Centralize macOS endpoint telemetry covering file creation, extended attribute changes, and code-signing verification failures
  • Alert on Gatekeeper assessment events emitted by syspolicyd that indicate skipped or short-circuited evaluations
  • Track first-seen binary executions per host and correlate with recent archive extraction activity

How to Mitigate CVE-2026-28914

Immediate Actions Required

  • Upgrade affected systems to macOS Tahoe 26.5 or later without delay
  • Restrict execution of binaries extracted from archives received via email or messaging until patching is verified
  • Educate users to validate the source of ZIP archives before extraction and execution

Patch Information

Apple resolved CVE-2026-28914 in macOS Tahoe 26.5 by improving file handling during archive processing. Administrators should deploy the update through Mobile Device Management (MDM) or Software Update. Verify installation by confirming the system version in About This Mac or via sw_vers -productVersion. The vendor advisory is available in the Apple Support Article.

Workarounds

  • Block inbound ZIP archives at email and web gateways where business processes permit
  • Enforce a managed allowlist of signed and notarized applications using MDM configuration profiles
  • Require users to extract archives only within monitored directories and review extended attributes before launching contents
bash
# Verify macOS version and Gatekeeper status
sw_vers -productVersion
spctl --status

# Inspect quarantine attribute on a suspicious file
xattr -l /path/to/extracted/file

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.