CVE-2026-28958 Overview
CVE-2026-28958 is an information disclosure vulnerability affecting multiple Apple operating systems. Apple addressed the issue with improved data protection across Safari, iOS, iPadOS, macOS, and visionOS. An app installed on the device may be able to access sensitive user data without proper authorization. The flaw is categorized under [CWE-200] Information Exposure and requires local access plus user interaction to exploit. Apple has shipped fixes in Safari 26.5, iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, and visionOS 26.5.
Critical Impact
A locally installed application can read sensitive user data on unpatched Apple devices, breaching confidentiality boundaries between apps and the user's protected information.
Affected Products
- Apple iOS and iPadOS prior to 26.5
- Apple macOS Tahoe prior to 26.5 and Safari prior to 26.5
- Apple visionOS prior to 26.5
Discovery Timeline
- 2026-05-11 - CVE-2026-28958 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-28958
Vulnerability Analysis
The vulnerability allows an application running on an affected Apple device to access sensitive user data that should be isolated by the operating system's data protection model. Apple's advisory states the issue was resolved through improved data protection, indicating the previous implementation did not enforce confidentiality boundaries correctly. The flaw maps to [CWE-200], a generic information exposure weakness.
Exploitation requires local code execution context, meaning a malicious or compromised app must already be installed on the device. User interaction is also required, which typically means the user must launch or otherwise engage with the offending application. The impact is limited to confidentiality, with no integrity or availability consequences according to the CVSS vector.
The EPSS probability is 0.012%, reflecting low expected exploitation activity in the near term. No public proof-of-concept code, exploit modules, or in-the-wild abuse has been reported. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities catalog.
Root Cause
Apple's release notes attribute the fix to improved data protection. This language typically indicates that a system component exposed protected data through an access path that bypassed the intended sandbox or entitlement check. Apple has not published deeper technical specifics in the public advisory.
Attack Vector
An attacker must deliver a malicious application to the target device, for example through sideloading, enterprise distribution channels, or by abusing a previously compromised legitimate app. Once the app runs with user interaction, it can read sensitive user data that the operating system should otherwise restrict.
No verified exploitation code is publicly available. For technical specifics consult the Apple Support Article 127121 referenced by Apple.
Detection Methods for CVE-2026-28958
Indicators of Compromise
- No public indicators of compromise have been published for CVE-2026-28958.
- Apple has not released file hashes, network signatures, or process indicators tied to exploitation.
Detection Strategies
- Inventory Apple endpoints and confirm OS build versions against Safari 26.5, iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, and visionOS 26.5 baselines.
- Review mobile device management (MDM) compliance reports to flag devices running pre-26.5 builds.
- Audit installed applications on managed Apple devices for unsigned, sideloaded, or unexpected publishers that could host a malicious payload.
Monitoring Recommendations
- Monitor MDM telemetry for delayed OS updates and enforce update deadlines on non-compliant devices.
- Track app installation events from non-App Store sources on macOS through Endpoint Security telemetry.
- Correlate user-reported anomalies, such as unexpected permission prompts, with recently installed applications.
How to Mitigate CVE-2026-28958
Immediate Actions Required
- Update all affected devices to Safari 26.5, iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, or visionOS 26.5.
- Use MDM policies to enforce minimum OS versions and block enrollment of devices on outdated builds.
- Remove untrusted or sideloaded applications from managed Apple endpoints.
Patch Information
Apple released fixes in Safari 26.5, iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, and visionOS 26.5. Refer to the official advisories: Apple Support Article 127110, Apple Support Article 127115, Apple Support Article 127120, and Apple Support Article 127121.
Workarounds
- No vendor workarounds are documented. Applying the official OS updates is the only supported remediation.
- Restrict installation of third-party applications to the App Store and notarized publishers until devices are patched.
- Where patching must be delayed, restrict device usage to trusted first-party applications and revoke unnecessary app entitlements.
# Verify macOS build on a managed endpoint
sw_vers
# Confirm the ProductVersion is 26.5 or later, then validate Safari
defaults read /Applications/Safari.app/Contents/Info.plist CFBundleShortVersionString
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
