CVE-2026-20641 is a privacy vulnerability identified in Apple’s iOS, iPadOS, macOS, tvOS, visionOS, and watchOS platforms. The flaw allows an app to determine what other apps are installed on the same device, violating user privacy by exposing potentially sensitive information about user behavior and preferences. This occurs due to insufficient enforcement of checks that should prevent apps from enumerating installed applications. The vulnerability affects multiple Apple operating systems and was addressed by Apple in updates iOS 18.7.5, iPadOS 18.7.5, macOS Sequoia 15.7.4, macOS Sonoma 14.8.4, macOS Tahoe 26.3, tvOS 26.3, visionOS 26.3, and watchOS 26.3. Exploitation requires user interaction but no special privileges or authentication, making it relatively accessible to attackers who can trick users into installing or running a malicious app. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and has a CVSS v3.1 score of 7.1, indicating high severity. Although no exploits have been observed in the wild, the potential for privacy breaches is significant, especially for users who rely on app confidentiality for personal or corporate security. The vulnerability does not impact system availability but compromises confidentiality and integrity by leaking information about installed applications, which could be leveraged for targeted attacks or profiling.

The primary impact of CVE-2026-20641 is the unauthorized disclosure of sensitive information regarding installed applications on Apple devices. This can lead to privacy violations, as attackers may infer user interests, habits, or affiliations based on app presence. For organizations, this could expose the use of corporate or security-related apps, potentially aiding targeted phishing, social engineering, or espionage campaigns. The vulnerability does not allow direct control or disruption of device functionality but undermines confidentiality and integrity of user data. Given the widespread use of Apple devices globally, especially in enterprise and government sectors, the risk of profiling and targeted attacks is considerable. The requirement for user interaction limits automated exploitation but does not eliminate risk, as users can be socially engineered. The absence of known exploits in the wild suggests limited current exploitation but does not preclude future attacks. Overall, the vulnerability poses a significant privacy risk with potential downstream impacts on organizational security posture and user trust.

To mitigate CVE-2026-20641, organizations and users should promptly apply the security updates released by Apple for all affected platforms, including iOS 18.7.5, iPadOS 18.7.5, macOS Sequoia 15.7.4, macOS Sonoma 14.8.4, macOS Tahoe 26.3, tvOS 26.3, visionOS 26.3, and watchOS 26.3. Beyond patching, organizations should enforce strict app vetting policies, limiting installation to trusted sources such as the Apple App Store and employing Mobile Device Management (MDM) solutions to control app deployment. User education is critical to reduce the risk of social engineering that could lead to installation of malicious apps. Monitoring app behavior for unusual access patterns or attempts to enumerate installed apps can provide early detection of exploitation attempts. Developers should follow Apple’s guidelines for app sandboxing and privacy to avoid similar issues. Finally, organizations should review privacy policies and consider the impact of app enumeration on compliance requirements, adjusting controls accordingly.