CVE-2026-28954: Apple iPadOS Auth Bypass Vulnerability

CVE-2026-28954 Overview

CVE-2026-28954 is a file quarantine bypass vulnerability affecting Apple iOS, iPadOS, and macOS. A maliciously crafted disk image can bypass Gatekeeper checks, allowing untrusted content to evade the macOS quarantine and code-signing validation mechanism. Apple addressed the issue with additional checks in iOS 18.7.9, iPadOS 18.7.9, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, and macOS Tahoe 26.5. The flaw is classified under [CWE-290] (Authentication Bypass by Spoofing) and carries a CVSS 3.1 base score of 7.5. No public proof-of-concept or in-the-wild exploitation has been reported.

Critical Impact

Attackers can deliver a crafted disk image that bypasses Gatekeeper, allowing unsigned or untrusted code to run without the expected user warnings.

Affected Products

• Apple iOS and iPadOS prior to 18.7.9
• Apple macOS Sonoma prior to 14.8.7 and macOS Sequoia prior to 15.7.7
• Apple macOS Tahoe prior to 26.5

Discovery Timeline

• 2026-05-11 - CVE-2026-28954 published to NVD
• 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2026-28954

Vulnerability Analysis

The vulnerability resides in how macOS handles disk image (.dmg) files during quarantine evaluation. Gatekeeper inspects downloaded content for the com.apple.quarantine extended attribute and validates code signatures and notarization status before allowing execution. A maliciously crafted disk image can manipulate this evaluation path so that content extracted or mounted from the image is not subjected to the expected Gatekeeper checks.

The issue is categorized as [CWE-290] Authentication Bypass by Spoofing. Apple resolved it by adding further validation checks to the quarantine subsystem rather than altering trust semantics.

Root Cause

The root cause is insufficient validation in the quarantine handling logic for disk images. Specific structural properties of a crafted image cause the system to treat its contents as already trusted, bypassing the standard checks that would otherwise reject unsigned, unnotarized, or untrusted executables and bundles.

Attack Vector

The CVSS vector indicates a network-reachable attack with no privileges and no user interaction required for the bypass itself. In practice, exploitation involves an attacker hosting or delivering a crafted disk image, typically via web download, email attachment, or messaging. When the user mounts the image, payloads inside execute without triggering Gatekeeper prompts. The impact is limited to confidentiality (C:H) — integrity and availability are not directly affected by the bypass alone, though follow-on payloads frequently extend impact.

No verified public exploit code is available for this issue. Refer to the Apple Security Advisory #127111 for vendor-supplied technical context.

Detection Methods for CVE-2026-28954

Indicators of Compromise

• Disk image (.dmg) files mounted shortly after download from untrusted sources, particularly without an associated com.apple.quarantine extended attribute on extracted contents.
• Execution of unsigned or unnotarized binaries originating from mounted disk images without a Gatekeeper user prompt.
• Unexpected child processes spawned by diskimagesmounteragent, hdiutil, or DiskImageMounter shortly after a browser or mail client writes a .dmg to disk.

Detection Strategies

• Monitor endpoint telemetry for process lineages where a downloader application is followed by .dmg mount events and subsequent execution of binaries from /Volumes/.
• Inspect extended attributes on files written from mounted images using xattr -l to confirm quarantine propagation.
• Correlate file-creation events for disk images with execution events and check for the absence of Gatekeeper assessment log entries in system.log and the unified log (log show --predicate 'subsystem == "com.apple.syspolicy"').

Monitoring Recommendations

• Enable and forward macOS Endpoint Security Framework (ESF) events covering ES_EVENT_TYPE_NOTIFY_MOUNT, ES_EVENT_TYPE_NOTIFY_EXEC, and quarantine-related file events to a centralized SIEM.
• Alert on execution from /Volumes/ paths where the parent disk image was downloaded within the last 24 hours.
• Track macOS build versions across the fleet to identify hosts still running pre-patch releases vulnerable to CVE-2026-28954.

How to Mitigate CVE-2026-28954

Immediate Actions Required

• Update affected systems to iOS 18.7.9, iPadOS 18.7.9, macOS Sonoma 14.8.7, macOS Sequoia 15.7.7, or macOS Tahoe 26.5 or later.
• Inventory macOS endpoints by build number and prioritize patching for systems used by privileged users or developers who frequently mount disk images.
• Treat any .dmg from unverified sources as untrusted until the patch is deployed organization-wide.

Patch Information

Apple released fixes across multiple advisories. See Apple Security Advisory #127111, #127115, #127116, and #127117 for the affected OS versions and corresponding patched builds. The fix introduces additional validation checks in the quarantine subsystem.

Workarounds

• Block delivery of .dmg attachments through email and messaging gateways where feasible.
• Restrict mounting of disk images via mobile device management (MDM) configuration profiles on managed macOS endpoints.
• Require users to validate code signatures with codesign --verify --deep --strict and spctl --assess on any binary executed from a mounted image until patching is complete.

# Verify current macOS build and Gatekeeper status
sw_vers
spctl --status

# Inspect quarantine attribute on a downloaded disk image
xattr -l ~/Downloads/suspicious.dmg

# Manually assess a binary extracted from a mounted image
spctl --assess --verbose=4 /Volumes/Installer/App.app
codesign --verify --deep --strict --verbose=2 /Volumes/Installer/App.app