Cyber Posture

CVE-2026-28855

High

Published: 25 March 2026

Published
25 March 2026
Modified
26 March 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0004 13.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28855 is a high-severity Improper Access Control (CWE-284) vulnerability in Apple Ipados. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 13.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for logical access to information and system resources, directly preventing apps from accessing protected user data due to the permissions issue.

SC-39 Process Isolation good match
prevent

Maintains process isolation to separate execution domains, mitigating unauthorized access to protected user data by confining malicious apps.

AC-6 Least Privilege good match
prevent

Employs least privilege to restrict app access to only necessary resources, addressing the improper access control that allowed access to protected user data.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
Why these techniques?

The improper access control vulnerability directly enables unauthorized reading of protected local user data by a malicious app, mapping to T1005 Data from Local System for confidentiality impact without requiring additional privileges or interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3. An app may be able to access protected user data.

Deeper analysisAI

CVE-2026-28855 is a permissions issue, classified under CWE-284 (Improper Access Control), that allows an app to access protected user data. The vulnerability affects iOS and iPadOS versions prior to 26.3, as well as macOS Tahoe versions prior to 26.3. It received a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impact on confidentiality.

The vulnerability can be exploited by a remote attacker with no privileges or user interaction required. Successful exploitation enables the attacker to access sensitive protected user data through a malicious app, potentially leading to unauthorized disclosure of private information.

Apple addressed the issue by implementing additional restrictions on permissions. The vulnerability is fixed in iOS 26.3, iPadOS 26.3, and macOS Tahoe 26.3. For further details, refer to Apple's security advisories at https://support.apple.com/en-us/126346 and https://support.apple.com/en-us/126348.

Details

CWE(s)
CWE-284

Affected Products

apple
ipados
≤ 26.3
apple
iphone os
≤ 26.3
apple
macos
26.0 — 26.3

CVEs Like This One

CVE-2026-28876Same product: Apple Ipados
CVE-2025-30433Same product: Apple Ipados
CVE-2025-24229Same product: Apple Macos
CVE-2026-28837Same product: Apple Macos
CVE-2025-31183Same product: Apple Ipados
CVE-2025-24173Same product: Apple Ipados
CVE-2025-30460Same product: Apple Macos
CVE-2025-43198Same product: Apple Macos
CVE-2026-28894Same product: Apple Ipados
CVE-2025-43300Same product: Apple Ipados

References