CVE-2026-28864 is a vulnerability in Apple’s iOS, iPadOS, macOS, visionOS, and watchOS platforms that allows a local attacker to access a user's Keychain items without proper authorization. The Keychain is a secure storage system used to hold sensitive information such as passwords, certificates, and cryptographic keys. The root cause of this vulnerability is insufficient permissions checking (classified under CWE-863: Incorrect Authorization), which enables a local attacker to bypass access controls and retrieve Keychain data. The vulnerability requires local access to the device and user interaction, limiting the attack vector to scenarios where an attacker has physical or logical local access. Apple addressed this issue by enhancing permission checks and released patches in multiple OS versions including iOS 18.7.7, iPadOS 18.7.7, iOS 26.4, iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, visionOS 26.4, and watchOS 26.4. The CVSS v3.1 score of 3.3 reflects the low severity due to the attack vector (local), low complexity, no privileges required, but user interaction needed, and limited confidentiality impact without affecting integrity or availability. No known exploits have been reported in the wild, indicating that active exploitation is not currently observed. This vulnerability poses a risk to the confidentiality of sensitive credentials stored in the Keychain, which could lead to further compromise if leveraged in chained attacks. The fix involves improved authorization checks to ensure only authorized processes or users can access Keychain items.

The primary impact of CVE-2026-28864 is unauthorized disclosure of sensitive information stored in the Apple Keychain, such as passwords, tokens, and cryptographic keys. This could enable attackers with local access to escalate privileges, impersonate users, or access protected services. Although the vulnerability does not affect system integrity or availability, the confidentiality breach can have serious consequences, especially in environments where devices are shared or physically accessible by untrusted individuals. For organizations, this could lead to credential theft, unauthorized access to corporate resources, and potential lateral movement within networks. The requirement for local access and user interaction limits the scope of exploitation, reducing the risk of remote attacks. However, in high-security environments or where devices are used in sensitive roles, the risk remains significant. The absence of known exploits in the wild suggests limited immediate threat, but the vulnerability should be addressed promptly to prevent future exploitation. Overall, the impact is moderate for individual users but could be more severe in enterprise or government contexts with high-value targets.

1. Apply the latest security updates from Apple immediately, ensuring devices run iOS 18.7.7, iPadOS 18.7.7, iOS 26.4, iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, visionOS 26.4, or watchOS 26.4 or later. 2. Restrict physical and logical local access to Apple devices, especially in shared or public environments, to prevent unauthorized users from exploiting this vulnerability. 3. Implement strict device usage policies and enforce screen locks with strong authentication to reduce the risk of local attacker access. 4. Monitor device logs and user activity for unusual access patterns or attempts to access Keychain items. 5. Educate users about the risks of local attacks and the importance of not allowing untrusted individuals to access their devices. 6. For enterprise environments, consider deploying Mobile Device Management (MDM) solutions to enforce patch compliance and device security policies. 7. Limit the installation of untrusted or unnecessary applications that could facilitate local exploitation. 8. Regularly audit Keychain access permissions and remove unnecessary credentials or keys to minimize exposure.