CVE-2026-28861 is a logic flaw in Apple Safari's handling of script message handlers, which are mechanisms used for communication between web content and native code. The vulnerability arises from improper state management that allows a malicious website to access script message handlers intended for other origins, violating the same-origin policy. This can lead to unauthorized access to data or messages that should be isolated per origin, potentially leaking sensitive information. The issue affects Safari versions prior to 26.4 on macOS Tahoe, iOS 18.7.7, iPadOS 18.7.7, visionOS 26.4, and related platforms. Exploitation requires a user to visit a crafted malicious website, but no authentication or elevated privileges are needed. Apple fixed the vulnerability by improving the internal state management of script message handlers, ensuring proper origin separation. The CVSS v3.1 score is 4.3 (medium), reflecting the limited confidentiality impact and the requirement for user interaction. No known exploits have been reported in the wild, but the vulnerability could be leveraged in targeted attacks to extract limited data from Safari users. This flaw highlights the importance of strict origin isolation in browser security to prevent cross-origin data leaks.

The primary impact of CVE-2026-28861 is a breach of confidentiality due to cross-origin data leakage via script message handlers in Safari. Attackers controlling malicious websites can potentially access messages or data intended for other origins, which may include sensitive user information or session details. Although the vulnerability does not affect data integrity or availability, unauthorized data exposure can facilitate further attacks such as phishing, social engineering, or targeted espionage. Organizations relying heavily on Apple devices and Safari for sensitive communications may face increased risk of information disclosure. The requirement for user interaction (visiting a malicious site) limits large-scale automated exploitation but does not eliminate risk, especially in environments where users frequently browse untrusted websites. The absence of known exploits in the wild reduces immediate threat but patching is critical to prevent future exploitation. Overall, the vulnerability could undermine user trust and confidentiality in affected Apple platforms.

To mitigate CVE-2026-28861, organizations and users should promptly update Safari and their Apple operating systems to versions 26.4 (Safari) and 18.7.7 (iOS/iPadOS), or later, where the fix is implemented. Beyond patching, organizations should enforce strict web browsing policies that restrict access to untrusted or unknown websites, reducing exposure to malicious content. Deploying network-level web filtering and DNS filtering can help block known malicious domains that might exploit this vulnerability. Security teams should monitor for suspicious web traffic patterns indicative of cross-origin attacks and educate users about the risks of visiting untrusted websites. For high-security environments, consider using browser isolation technologies or alternative browsers with robust origin isolation until patches are applied. Regular vulnerability scanning and penetration testing should include checks for this and similar browser-origin isolation issues. Finally, maintain an incident response plan to quickly address any suspected data leakage incidents stemming from browser vulnerabilities.