CVE-2026-28855 is a permissions-related vulnerability affecting Apple’s iOS and iPadOS platforms, as well as macOS Tahoe. The root cause is an access control weakness (CWE-284) that allowed applications to bypass intended restrictions and access protected user data without requiring privileges or user interaction. This vulnerability could enable a malicious app to silently read sensitive information, compromising user confidentiality. The issue was addressed by Apple through additional access restrictions implemented in iOS 26.3, iPadOS 26.3, and macOS Tahoe 26.3. The CVSS v3.1 base score is 7.5, reflecting a network attack vector with low attack complexity, no privileges required, and no user interaction needed, with a high impact on confidentiality but no impact on integrity or availability. Although no active exploits have been reported, the vulnerability poses a significant risk due to the widespread use of Apple devices and the sensitive nature of the data potentially exposed. The vulnerability was publicly disclosed on March 25, 2026, shortly after being reserved on March 3, 2026, indicating a rapid disclosure cycle. The lack of known exploits suggests that attackers may not yet have weaponized this flaw, but the ease of exploitation and high confidentiality impact warrant immediate attention.

The primary impact of CVE-2026-28855 is unauthorized access to protected user data on Apple iOS, iPadOS, and macOS Tahoe devices. This can lead to significant privacy violations, including exposure of personal information, credentials, or other sensitive data stored or accessible on the device. For organizations, this vulnerability could result in data breaches, loss of customer trust, and potential regulatory penalties, especially in sectors handling sensitive or regulated data such as finance, healthcare, and government. Since the vulnerability requires no privileges or user interaction, any app installed on a vulnerable device could exploit it, increasing the attack surface. The absence of integrity or availability impact limits the threat to confidentiality, but the sensitive nature of user data makes this a critical concern. The widespread adoption of Apple devices globally means that many organizations and individuals are at risk if they do not apply the necessary updates promptly.

To mitigate CVE-2026-28855, organizations and users should immediately update all affected Apple devices to iOS 26.3, iPadOS 26.3, or macOS Tahoe 26.3 or later, where the vulnerability has been patched. Enterprises should enforce mobile device management (MDM) policies that mandate timely OS updates and restrict installation of untrusted or unnecessary applications to reduce exposure. Application vetting processes should be strengthened to detect apps attempting to exploit permissions issues. Additionally, monitoring for unusual app behavior or data access patterns can help detect exploitation attempts. Network-level protections such as restricting app network access and employing endpoint detection and response (EDR) solutions tailored for Apple platforms can provide additional layers of defense. Finally, educating users about the importance of installing updates and avoiding untrusted apps will reduce risk.