CVE-2026-28855 is a security vulnerability identified in Apple’s iOS and iPadOS platforms, as well as macOS Tahoe, related to a permissions issue that allows an application to bypass intended access controls and gain unauthorized access to protected user data. The root cause is insufficient enforcement of permission restrictions, which could enable a malicious or compromised app to read sensitive information that should be inaccessible under normal security policies. Apple has addressed this issue by introducing additional restrictions in iOS 26.3, iPadOS 26.3, and macOS Tahoe 26.3, thereby closing the loophole. The vulnerability affects all versions prior to these updates. There is no CVSS score assigned yet, and no known public exploits have been reported. The vulnerability does not require user interaction once the malicious app is installed, but it does require the app to be present on the device, which implies that app vetting and installation vectors remain critical. The flaw impacts confidentiality primarily, with potential implications for data integrity if the accessed data is used maliciously. This vulnerability highlights the importance of strict permission management in mobile operating systems to protect user privacy and data security.

The primary impact of CVE-2026-28855 is unauthorized access to protected user data by malicious applications, which can lead to significant breaches of user privacy and confidentiality. For organizations, this could mean exposure of sensitive corporate data, intellectual property, or personal information of employees and customers stored on iOS or iPadOS devices. Such data leakage could facilitate further attacks, including identity theft, corporate espionage, or targeted phishing campaigns. The vulnerability undermines trust in Apple’s platform security and could have legal and compliance ramifications for organizations subject to data protection regulations like GDPR or HIPAA. Since the vulnerability does not require user interaction beyond app installation, attackers could exploit it silently once a malicious app is installed, increasing the risk of undetected data exfiltration. The widespread use of Apple devices in both consumer and enterprise environments amplifies the potential scale of impact globally.

Organizations and users should immediately update affected devices to iOS 26.3, iPadOS 26.3, or macOS Tahoe 26.3 to apply the security patches that address this vulnerability. Beyond patching, organizations should enforce strict app installation policies, such as restricting app installations to trusted sources only and using Mobile Device Management (MDM) solutions to control app permissions and monitor installed applications. Employing app vetting and behavioral analysis tools can help detect potentially malicious apps attempting to exploit permission weaknesses. Users should be educated to avoid installing untrusted or unnecessary apps, especially those requesting excessive permissions. Regular audits of app permissions and usage can help identify anomalies. Additionally, organizations should consider encrypting sensitive data at rest and in transit on mobile devices to reduce the impact of unauthorized access. Monitoring network traffic for unusual data flows from mobile devices can also help detect exploitation attempts.