CVE-2026-28876
Published: 25 March 2026
Summary
CVE-2026-28876 is a high-severity Improper Access Control (CWE-284) vulnerability in Apple Macos. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 17.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of directory path inputs to prevent parsing flaws that enable unauthorized app access to sensitive user data.
Enforces approved access authorizations to block apps from bypassing controls via malformed directory paths.
Implements a reference monitor to mediate and enforce access control policies against path-based access violations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path validation flaw (CWE-284) in directory handling allows a malicious app to bypass access controls and read arbitrary sensitive files on the local device, directly enabling data collection from the local system.
NVD Description
A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, visionOS…
more
26.4. An app may be able to access sensitive user data.
Deeper analysisAI
CVE-2026-28876 is a parsing issue in the handling of directory paths, addressed with improved path validation across multiple Apple operating systems. The affected components include iOS prior to versions 18.7.7 and 26.4, iPadOS prior to 18.7.7 and 26.4, macOS Sequoia prior to 15.7.5, macOS Sonoma prior to 14.8.5, macOS Tahoe prior to 26.4, and visionOS prior to 26.4. Classified under CWE-284 (Improper Access Control), it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high-impact confidentiality risks.
An attacker can exploit this vulnerability through a malicious app installed on the device, enabling access to sensitive user data. The attack vector is network-based with low complexity, requiring no user privileges or interaction, and maintains unchanged scope while solely impacting confidentiality.
Apple's advisories detail the fixes in the listed versions, recommending immediate updates to iOS 18.7.7 or 26.4, iPadOS 18.7.7 or 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, and visionOS 26.4. Additional mitigation guidance is available in support documents at https://support.apple.com/en-us/126792, https://support.apple.com/en-us/126793, https://support.apple.com/en-us/126794, https://support.apple.com/en-us/126795, and https://support.apple.com/en-us/126796.
Details
- CWE(s)