CVE-2026-28864 is a vulnerability discovered in Apple’s operating systems including iOS, iPadOS, macOS, visionOS, and watchOS that allows a local attacker to gain unauthorized access to a user's Keychain items. The Keychain is a secure storage system used by Apple devices to store sensitive information such as passwords, private keys, certificates, and other credentials. The root cause of this vulnerability is insufficient permissions checking, which means that the system failed to properly enforce access controls on Keychain items, allowing a local attacker with access to the device to bypass these controls and retrieve sensitive data. This vulnerability affects multiple Apple OS versions prior to the patched releases: iOS 18.7.7, iPadOS 18.7.7, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, visionOS 26.4, and watchOS 26.4. The fix involved improving the permissions checking mechanisms to ensure that only authorized processes and users can access Keychain data. Exploitation requires local access to the device, meaning the attacker must have physical access or remote access through an already compromised account or device. There is no indication that user interaction is required, nor that the vulnerability can be exploited remotely without prior access. No public exploits or active exploitation in the wild have been reported to date. The vulnerability poses a significant risk to confidentiality, as Keychain items often contain highly sensitive information that can be leveraged for further attacks or identity theft. The lack of a CVSS score necessitates a severity assessment based on impact and exploitability factors.

The primary impact of CVE-2026-28864 is the compromise of confidentiality of sensitive user data stored in the Apple Keychain. This includes passwords, private keys, certificates, and other credentials critical for authentication and encryption. Unauthorized access to these items can lead to identity theft, unauthorized access to corporate and personal accounts, and compromise of encrypted communications. For organizations, this vulnerability could facilitate lateral movement within networks if attackers gain access to corporate Apple devices, potentially exposing enterprise credentials and secrets. The vulnerability does not directly affect system integrity or availability but significantly undermines trust in device security. Since exploitation requires local access, the risk is heightened in environments where devices may be physically accessible by attackers or where local user accounts are shared or compromised. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits post-disclosure. The widespread use of Apple devices globally, especially in enterprise and government sectors, amplifies the potential impact if unpatched devices remain in use.

To mitigate CVE-2026-28864, organizations and users should immediately apply the security updates released by Apple for all affected operating systems: iOS 18.7.7, iPadOS 18.7.7, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, visionOS 26.4, and watchOS 26.4. Beyond patching, organizations should enforce strict physical security controls to limit local access to devices, including secure storage and access policies. Implementing strong device authentication mechanisms such as biometrics or complex passcodes can reduce the risk of unauthorized local access. Monitoring and auditing local access logs can help detect suspicious activity indicative of exploitation attempts. For enterprise environments, consider deploying Mobile Device Management (MDM) solutions to enforce timely patching and restrict installation of unauthorized applications that could facilitate local attacks. Additionally, educating users about the risks of leaving devices unattended and the importance of applying updates promptly is critical. Finally, organizations should review and limit the number of users with local access privileges on Apple devices to minimize exposure.