CVE-2026-28880 is a permissions-related vulnerability discovered in Apple’s iOS, iPadOS, macOS, and visionOS platforms that allows a malicious application to enumerate the list of installed applications on a user's device. This enumeration capability stems from insufficient permission enforcement, permitting apps to access information about other installed apps without explicit user consent or elevated privileges. Such information disclosure can be leveraged by attackers to profile users, identify installed security or banking apps, or tailor subsequent attacks based on the victim’s app ecosystem. The vulnerability affects multiple Apple operating systems prior to their respective patched versions: iOS 18.7.7, iPadOS 18.7.7, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, and visionOS 26.4. Apple mitigated the issue by introducing stricter permission checks and restrictions on app enumeration capabilities. There is no CVSS score assigned yet, and no known exploits have been reported in the wild. The flaw does not require user interaction or authentication, increasing the ease of exploitation. However, the impact is limited to privacy concerns rather than direct compromise of system integrity or availability. This vulnerability highlights the importance of strict app sandboxing and permission models to protect user privacy on mobile and desktop platforms.

The primary impact of CVE-2026-28880 is the unauthorized disclosure of user-installed application information, which constitutes a privacy breach. Attackers could use this information to build detailed user profiles, identify the presence of security or financial apps, and craft targeted phishing or social engineering attacks. While this vulnerability does not directly enable code execution, privilege escalation, or denial of service, the information gained can facilitate more sophisticated attacks. For organizations, especially those handling sensitive data or operating in regulated industries, this could lead to compliance issues and increased risk of targeted attacks. Consumer users may experience privacy violations and potential follow-on attacks. The scope includes all devices running affected Apple operating systems prior to the patched versions, which are widely deployed globally. The lack of required user interaction or authentication means that any malicious app installed on a device could exploit this vulnerability, increasing the risk surface.

To mitigate CVE-2026-28880, organizations and users should promptly update all affected Apple devices to the patched OS versions: iOS 18.7.7 or later, iPadOS 18.7.7 or later, macOS Sequoia 15.7.5 or later, macOS Sonoma 14.8.5 or later, macOS Tahoe 26.4 or later, and visionOS 26.4 or later. Beyond patching, organizations should enforce strict app vetting policies to prevent installation of untrusted or potentially malicious applications that could exploit this vulnerability. Employ Mobile Device Management (MDM) solutions to control app installations and monitor device compliance. Users should be educated about the risks of installing apps from untrusted sources. Developers should follow Apple’s best practices for app sandboxing and permission requests to minimize unnecessary access to system information. Monitoring for unusual app behavior or network traffic may help detect exploitation attempts. Finally, privacy-conscious users and organizations should review app permissions regularly and restrict apps from accessing unnecessary data.