CVE-2026-28961 Overview
CVE-2026-28961 is an information disclosure vulnerability in Apple macOS. An attacker with physical access to a locked device may view sensitive user information without authenticating. Apple addressed the issue with improved checks in macOS Tahoe 26.5. The weakness is categorized under [CWE-522] (Insufficiently Protected Credentials) and requires local, physical interaction with the targeted device.
Critical Impact
Physical attackers can bypass lock screen protections to read sensitive user information from an otherwise locked macOS device.
Affected Products
- Apple macOS versions prior to macOS Tahoe 26.5
- Devices running affected macOS builds with no additional mitigations
- All hardware configurations supported by affected macOS versions
Discovery Timeline
- 2026-05-11 - CVE-2026-28961 published to the National Vulnerability Database (NVD)
- 2026-05-11 - Apple publishes advisory at Apple Support Article 127115
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-28961
Vulnerability Analysis
The vulnerability resides in how macOS validates access to user data while the device is in a locked state. Insufficient checks in the lock screen workflow permit an attacker with physical possession of the device to surface sensitive content that should remain protected. The flaw maps to [CWE-522], indicating that credentials or protected data are not sufficiently shielded from local observers. Exploitation does not require user interaction, privileges, or network access. Apple's fix in macOS Tahoe 26.5 adds stricter validation to prevent the exposed content path from rendering while the device is locked.
Root Cause
The root cause is missing or incomplete state checks in a component that displays user information. The locked-state guard did not fully cover the affected code path, allowing data intended for authenticated sessions to surface on the lock screen. Apple's advisory describes the remediation as "improved checks," consistent with hardening of the lock-state validation logic.
Attack Vector
The attack vector is physical (AV:P). An attacker must take possession of the target Mac while it is locked. The attacker then interacts with the local user interface to trigger the vulnerable code path and observe sensitive information. No malware deployment, network access, or credential theft is required. The vulnerability does not allow modification or denial of service, only disclosure of user information.
No public proof-of-concept exploit has been published. The EPSS dataset reflects a low probability of exploitation in the wild, and the CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2026-28961
Indicators of Compromise
- No network-based indicators are associated with this vulnerability, as exploitation requires physical access.
- Unexpected physical handling of a locked device, particularly devices reported lost or stolen, should be treated as suspicious.
- macOS systems still reporting a build older than macOS Tahoe 26.5 in inventory are exposed.
Detection Strategies
- Audit macOS endpoints with mobile device management (MDM) or asset inventory tooling to identify devices below macOS Tahoe 26.5.
- Correlate lost or stolen device reports with subsequent account anomalies, such as unexpected access from leaked session tokens or visible content.
- Review Apple's advisory at Apple Support Article 127115 for build numbers that resolve the issue.
Monitoring Recommendations
- Track OS version compliance across the macOS fleet and alert when devices fall behind the patched build.
- Monitor authentication and session activity for accounts tied to devices recently reported as physically compromised.
- Enable lost-mode and remote-wipe workflows through MDM so administrators can respond to physical loss events quickly.
How to Mitigate CVE-2026-28961
Immediate Actions Required
- Upgrade all affected Mac systems to macOS Tahoe 26.5 or later through Software Update or MDM-managed update policies.
- Enforce full-disk encryption with FileVault on all macOS endpoints to limit the value of physical access.
- Require strong device passcodes and reduce automatic lock timeouts on user laptops and desktops.
Patch Information
Apple resolved CVE-2026-28961 in macOS Tahoe 26.5 with improved checks on the affected code path. Patch details and supported builds are listed in the Apple Support Article 127115. Administrators should validate that endpoints report a fixed build after the update completes.
Workarounds
- Until the patch is applied, store devices in physically secured locations and avoid leaving locked Macs unattended in public spaces.
- Disable lock screen features that surface notifications or widgets containing sensitive content through Configuration Profiles.
- Use MDM policies to enforce short inactivity timers and require a password immediately after sleep or screen saver.
# Verify the installed macOS version meets the patched build
sw_vers -productVersion
# Trigger software update check on a managed endpoint
sudo softwareupdate -l
sudo softwareupdate -ia --restart
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
