CVE-2026-28993 Overview
CVE-2026-28993 is an access control vulnerability (CWE-284) affecting multiple Apple operating systems. The flaw allows a locally installed app to access user-sensitive data without proper consent. Apple addressed the issue by adding an additional prompt for user consent across affected platforms.
The vulnerability impacts iOS, iPadOS, macOS Sequoia, macOS Sonoma, macOS Tahoe, and visionOS. Exploitation requires local access and low-privilege execution on the device. Confidentiality impact is high, while integrity and availability are unaffected.
Critical Impact
A malicious or compromised application installed on an affected Apple device can read user-sensitive data without triggering a consent prompt, exposing personal information stored on the device.
Affected Products
- Apple iOS and iPadOS (fixed in 18.7.9 and 26.5)
- Apple macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, and macOS Tahoe 26.5
- Apple visionOS 26.5
Discovery Timeline
- 2026-05-11 - CVE-2026-28993 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-28993
Vulnerability Analysis
The vulnerability stems from improper access control governing how applications request access to user-sensitive data on Apple platforms. An application running with normal user privileges can reach data that should be gated behind explicit user authorization. Apple's remediation introduces an additional consent prompt, indicating the prior code path failed to enforce the authorization step.
The issue is classified under CWE-284: Improper Access Control. Apple's advisories describe the impact as "An app may be able to access user-sensitive data," which on Apple platforms typically refers to resources protected by the Transparency, Consent, and Control (TCC) framework on macOS or the equivalent privacy controls on iOS, iPadOS, and visionOS.
Exploitation requires the attacker to first place code on the device, either through a sideloaded application, a malicious App Store submission, or via a separate initial-access vulnerability. Once running, the application accesses sensitive data without the user being shown the expected authorization dialog.
Root Cause
The root cause is a missing user consent check in the code path that handles access to sensitive resources. The affected component did not validate that the user had previously authorized the operation before returning protected data to the calling process.
Attack Vector
The attack vector is local. An adversary must execute code on the target device as a standard user. No user interaction is required after the malicious application is running, allowing silent exfiltration of user-sensitive data such as contacts, photos, location history, or other resources normally protected by privacy prompts. The vulnerability is described in prose only; no public proof-of-concept exploit code is available. Refer to the Apple security advisories for vendor-supplied details.
Detection Methods for CVE-2026-28993
Indicators of Compromise
- Applications accessing TCC-protected resources (Contacts, Photos, Calendar, Location, Microphone, Camera) without an associated user prompt event in system logs.
- Unsigned or recently sideloaded applications reading from sensitive data containers shortly after first launch.
- Outbound network connections from applications immediately following access to user data stores.
Detection Strategies
- Audit tccd and unified log entries on macOS for access events that lack corresponding user-consent dialog entries.
- Inventory installed applications across managed Apple endpoints and flag those running on OS builds older than the fixed versions.
- Correlate process telemetry with file access to identify applications reading from ~/Library/Application Support, ~/Pictures, ~/Contacts, and similar protected paths.
Monitoring Recommendations
- Forward Apple endpoint telemetry into a centralized log platform and create alerts for anomalous access to privacy-protected resources.
- Track OS version compliance and prioritize remediation for devices below the patched builds listed by Apple.
- Monitor for new application installations on managed devices, particularly those originating outside approved distribution channels.
How to Mitigate CVE-2026-28993
Immediate Actions Required
- Update all Apple devices to iOS 18.7.9 or 26.5, iPadOS 18.7.9 or 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, or visionOS 26.5.
- Inventory managed Apple endpoints through MDM and enforce update policies on devices that have not yet upgraded.
- Review installed applications and remove any that are unsigned, sideloaded, or sourced from untrusted developers.
Patch Information
Apple released fixes in the platform updates referenced above. Patch details are documented in the vendor advisories: Apple Security Article #127110, #127111, #127115, #127116, #127117, and #127120. Apply the update corresponding to each device's OS family.
Workarounds
- Restrict application installation to vetted sources and disable sideloading where supported.
- Use MDM configuration profiles to limit which applications can request access to sensitive data classes.
- Review and revoke unnecessary privacy permissions granted to existing applications under Settings or System Settings > Privacy & Security.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
