PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-28877 Apple CVE debrief

Apple disclosed CVE-2026-28877 on 2026-03-25. The issue is described as an authorization problem fixed with improved state management, and Apple says an app may be able to access sensitive user data. Apple’s listed fixes cover iOS 18.7.9 and 26.4, iPadOS 18.7.9 and 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, visionOS 26.4, and watchOS 26.4. NVD rates the issue as medium severity (CVSS 5.5) and shows a local, low-complexity, low-privilege, no-user-interaction path with high confidentiality impact.

Vendor
Apple
Product
CVE-2026-28877
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-25
Original CVE updated
2026-05-11
Advisory published
2026-03-25
Advisory updated
2026-05-11

Who should care

Apple device administrators, security teams managing mixed iPhone, iPad, Mac, Apple Watch, or Vision Pro fleets, and users running affected versions should care most. Because the issue can expose sensitive user data, it matters most on devices used for personal, business, or regulated information.

Technical summary

Based on the CVE description and NVD metadata, this is an authorization weakness rather than a crash or availability problem. NVD’s vector (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) indicates a local attack surface with low privileges and no user interaction required, and the primary impact is confidentiality. Apple attributes the fix to improved state management. The supplied source corpus does not include the text of the Apple advisories, so component-level details are limited to the published CVE description and Apple’s fixed-version list.

Defensive priority

Medium. Treat as a prompt patching item for managed Apple environments, especially where devices handle sensitive personal or organizational data. The confidentiality impact makes it more important than a typical low-severity issue even though the CVSS score is 5.5.

Recommended defensive actions

  • Apply Apple’s fixed releases: iOS 18.7.9 or 26.4, iPadOS 18.7.9 or 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, visionOS 26.4, and watchOS 26.4.
  • Inventory fleet versions and confirm that no affected Apple devices remain below the fixed releases.
  • Prioritize patching on devices that access sensitive personal, corporate, or regulated data.
  • Track the CVE in vulnerability management tools and verify remediation after updates are deployed.
  • Review Apple security release notes for any follow-on clarification tied to the linked advisories.

Evidence notes

All substantive claims here come from the supplied CVE description, NVD metadata, and Apple reference links. The CVE description states that Apple fixed an authorization issue with improved state management and that an app may access sensitive user data. NVD classifies the issue as modified and provides the CVSS vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, which supports a local, low-privilege confidentiality issue. The source corpus also includes Apple advisory links, but their page text was not provided, so component-specific details are intentionally avoided.

Official resources

Publicly disclosed by Apple on 2026-03-25, with NVD later marking the record modified on 2026-05-11. The supplied corpus does not include exploit details or proof-of-concept material.