CVE-2026-28878 Apple CVE debrief

Who should care

Organizations and individuals running affected Apple devices should care, especially where device privacy, app inventory secrecy, or user profiling risk matters. Mobile device managers, enterprise Apple admins, and teams that rely on strict app privacy boundaries should prioritize patching. App developers should also note the issue because installed-app enumeration can reveal sensitive usage patterns.

Technical summary

The supplied NVD record maps this issue to CWE-200 and gives a CVSS v3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L, indicating a remotely reachable, no-authentication, no-user-interaction privacy disclosure with limited confidentiality and availability impact. The description states that sensitive data was removed and that an app may be able to enumerate a user’s installed apps. Fixed builds listed in the record include iOS 18.7.7 and 26.4, iPadOS 18.7.7 and 26.4, macOS Sequoia 15.7.7, macOS Sonoma 14.8.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, and watchOS 26.4.

Defensive priority

Medium. The issue is a privacy disclosure rather than code execution, but it is network-reachable, requires no privileges or user interaction, and can expose installed-app information that may be useful for profiling or reconnaissance.

Recommended defensive actions

• Update affected Apple devices to the fixed versions named in the vendor guidance and NVD record.
• Prioritize patching managed, shared, and high-sensitivity devices where app inventory exposure is especially undesirable.
• Use MDM or equivalent fleet tooling to confirm version compliance across iOS, iPadOS, macOS, tvOS, visionOS, and watchOS.
• Review application privacy posture and minimize reliance on assumptions that installed-app lists are hidden from apps.
• Track Apple security advisories and validate that devices have received the relevant security update rather than relying on general OS version labels alone.

Evidence notes

This debrief is based on the supplied NVD record and its listed Apple vendor references. The record says the issue was fixed by removing sensitive data and that an app may be able to enumerate a user’s installed apps. NVD assigns CVSS v3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L and CWE-200. The supplied record also lists affected/fixed Apple platform versions, including iOS/iPadOS 18.7.7 and 26.4, macOS Sequoia 15.7.7, macOS Sonoma 14.8.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, and watchOS 26.4. Publication timing should be read from the CVE published date provided in the corpus (2026-03-25), not from this debrief generation time.

Official resources