CVE-2026-28920 Overview
CVE-2026-28920 is an information disclosure vulnerability affecting multiple Apple operating systems. The flaw allows a maliciously crafted website to leak sensitive data when visited by a user. Apple addressed the issue by adding validation logic across its operating system family. The weakness is classified under [CWE-200] (Exposure of Sensitive Information to an Unauthorized Actor) and requires user interaction in the form of visiting an attacker-controlled web resource.
Critical Impact
Visiting a maliciously crafted website may leak sensitive data from the user's device across iOS, iPadOS, macOS, tvOS, visionOS, and watchOS platforms.
Affected Products
- Apple iOS and iPadOS (fixed in iOS 18.7.9, iPadOS 18.7.9, iOS 26.5, iPadOS 26.5)
- Apple macOS (fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5)
- Apple tvOS 26.5, visionOS 26.5, and watchOS 26.5
Discovery Timeline
- 2026-05-11 - CVE-2026-28920 published to the National Vulnerability Database
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-28920
Vulnerability Analysis
The vulnerability is an information leakage flaw resolved through additional validation in Apple's operating system components. An attacker hosts a maliciously crafted website and lures a victim into loading the page. The page triggers behavior in the affected component that exposes sensitive data outside the expected security boundary. Because the bug spans iOS, iPadOS, macOS, tvOS, visionOS, and watchOS, the affected code path is likely shared across Apple's platform stack, such as a system framework reachable from the web rendering engine.
Apple's advisory text states that the issue "was addressed with additional validation," indicating the prior code path failed to validate inputs or state before returning data to the requesting context. The vulnerability does not enable code execution or modification of system state, but it weakens confidentiality guarantees for users browsing untrusted content.
Root Cause
The root cause is missing input or state validation in a component reachable from web content. Without this validation, the component returned data that should have remained isolated from the calling web context. Apple's fix introduces validation checks before sensitive data is processed or returned.
Attack Vector
Exploitation requires the victim to visit a maliciously crafted website. The attacker does not need credentials or prior access to the device. Delivery vectors include phishing emails, malicious advertisements, compromised legitimate sites, and links shared through messaging platforms. No technical proof-of-concept is publicly available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
No verified proof-of-concept code is available for CVE-2026-28920.
Refer to Apple's security advisories listed under Patch Information
for vendor-supplied technical context.
Detection Methods for CVE-2026-28920
Indicators of Compromise
- No vendor-published indicators of compromise are associated with CVE-2026-28920 at this time.
- Unexpected outbound connections from browser processes to unfamiliar domains immediately after a user visits a new website.
- Browser telemetry showing repeated visits to newly registered or low-reputation domains delivered through phishing or malvertising.
Detection Strategies
- Monitor endpoint telemetry for Apple devices running unpatched OS builds and correlate with web browsing activity to high-risk domains.
- Inspect web proxy and DNS logs for connections to domains flagged in threat intelligence feeds for browser-targeted information disclosure campaigns.
- Track devices reporting OS versions older than iOS 18.7.9, iPadOS 18.7.9, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, or any 26.5 release across the Apple platform family.
Monitoring Recommendations
- Maintain an up-to-date inventory of Apple device OS versions and flag devices that remain below the patched builds.
- Alert on user reports of unexpected data exposure or browser anomalies following visits to unfamiliar sites.
- Review URL filtering logs for clusters of users accessing the same newly observed domain, which can indicate a phishing campaign.
How to Mitigate CVE-2026-28920
Immediate Actions Required
- Update Apple devices to iOS 18.7.9, iPadOS 18.7.9, iOS 26.5, iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, or watchOS 26.5.
- Enforce patch deployment through mobile device management (MDM) policies for managed Apple fleets.
- Communicate phishing awareness guidance to users, emphasizing caution when clicking links from untrusted sources.
Patch Information
Apple has released fixes across all affected platforms. Refer to the vendor advisories for build-specific details: Apple Support Article 127110, Apple Support Article 127111, Apple Support Article 127115, Apple Support Article 127116, Apple Support Article 127117, Apple Support Article 127118, Apple Support Article 127119, and Apple Support Article 127120.
Workarounds
- No vendor-supplied workaround exists; applying the security updates is the only complete mitigation.
- Restrict browsing to trusted sites and deploy DNS or web filtering to block known malicious domains until devices are patched.
- Disable or limit web preview features in messaging applications on unpatched devices to reduce automatic content loading.
# Verify the installed OS build on macOS
sw_vers
# Trigger software update check on macOS
sudo softwareupdate --list
sudo softwareupdate --install --all --restart
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
