CVE-2026-28878 is a privacy-related vulnerability identified in Apple’s iOS and iPadOS platforms, including related operating systems such as macOS Sonoma, macOS Tahoe, tvOS, visionOS, and watchOS. The flaw allows a malicious application to enumerate the list of installed applications on a user’s device without requiring any privileges or user interaction. This enumeration capability can reveal sensitive information about the user’s app usage patterns, installed software, and potentially expose them to targeted phishing or profiling attacks. The root cause relates to improper handling of sensitive data that allowed apps to access information that should have been restricted. Apple addressed this issue by removing the sensitive data exposure in updates released for iOS 18.7.7, iPadOS 18.7.7, and corresponding versions of other OSes. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS v3.1 base score is 6.5, reflecting a medium severity due to network attack vector, no privileges required, no user interaction, and limited confidentiality impact. No integrity or availability impacts were noted. No public exploits or active exploitation have been reported, but the vulnerability poses a privacy risk that could be leveraged in broader attack scenarios.

The primary impact of CVE-2026-28878 is the unauthorized disclosure of information about installed applications on Apple devices. This can compromise user privacy by revealing app usage habits and potentially sensitive app presence, which attackers could use for social engineering, targeted phishing, or to infer user interests and behaviors. For organizations, this could lead to leakage of confidential information about corporate app deployments on employee devices, potentially aiding attackers in crafting tailored attacks or identifying vulnerable software. Although the vulnerability does not directly affect system integrity or availability, the privacy breach can undermine trust and compliance with data protection regulations, especially in sectors handling sensitive data such as finance, healthcare, and government. The ease of exploitation (no authentication or user interaction required) increases the risk, particularly in environments where users install untrusted apps. The lack of known exploits reduces immediate risk but does not eliminate the potential for future abuse.

To mitigate CVE-2026-28878, organizations and users should promptly apply the security updates released by Apple for iOS 18.7.7, iPadOS 18.7.7, macOS Sonoma 14.8.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, and watchOS 26.4. Beyond patching, organizations should enforce strict app installation policies, restricting devices to trusted app stores and vetted applications to reduce exposure to malicious apps exploiting this vulnerability. Employ mobile device management (MDM) solutions to monitor and control app installations and permissions. Educate users about the risks of installing untrusted apps and encourage regular OS updates. Additionally, monitor network traffic for unusual app behavior that might indicate attempts to enumerate installed apps or gather device information. For high-security environments, consider deploying endpoint detection and response (EDR) tools capable of detecting suspicious app activities related to privacy enumeration.