{"api_version":"1","generated_at":"2026-07-07T06:47:39+00:00","cve":"CVE-2026-28863","urls":{"html":"https://cve.report/CVE-2026-28863","api":"https://cve.report/api/cve/CVE-2026-28863.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-28863","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-28863"},"summary":{"title":"CVE-2026-28863","description":"A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26.4 and iPadOS 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to fingerprint the user.","state":"PUBLISHED","assigner":"apple","published_at":"2026-03-25 01:17:10","updated_at":"2026-05-10 14:16:49"},"problem_types":["NVD-CWE-noinfo","CWE-284","An app may be able to fingerprint the user","CWE-284 CWE-284 Improper Access Control"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"6.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"6.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"}}],"references":[{"url":"https://support.apple.com/en-us/126797","name":"https://support.apple.com/en-us/126797","refsource":"product-security@apple.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://support.apple.com/en-us/126798","name":"https://support.apple.com/en-us/126798","refsource":"product-security@apple.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://support.apple.com/en-us/126799","name":"https://support.apple.com/en-us/126799","refsource":"product-security@apple.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://support.apple.com/en-us/126792","name":"https://support.apple.com/en-us/126792","refsource":"product-security@apple.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-28863","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28863","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Apple","product":"iOS and iPadOS","version":"affected 26.4 custom","platforms":[]},{"source":"CNA","vendor":"Apple","product":"tvOS","version":"affected 26.4 custom","platforms":[]},{"source":"CNA","vendor":"Apple","product":"visionOS","version":"affected 26.4 custom","platforms":[]},{"source":"CNA","vendor":"Apple","product":"watchOS","version":"affected 26.4 custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"28863","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"apple","cpe5":"ipados","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"28863","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"apple","cpe5":"iphone_os","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"28863","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"apple","cpe5":"tvos","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"28863","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"apple","cpe5":"visionos","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"28863","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"apple","cpe5":"watchos","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"28863","cve":"CVE-2026-28863","epss":"0.000290000","percentile":"0.085340000","score_date":"2026-05-12","updated_at":"2026-05-13 00:11:53"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","version":"3.1"}},{"other":{"content":{"id":"CVE-2026-28863","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-03-25T20:16:19.083884Z","version":"2.0.3"},"type":"ssvc"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-284","description":"CWE-284 Improper Access Control","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-10T13:51:27.443Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"iOS and iPadOS","vendor":"Apple","versions":[{"lessThan":"26.4","status":"affected","version":"0","versionType":"custom"}]},{"product":"tvOS","vendor":"Apple","versions":[{"lessThan":"26.4","status":"affected","version":"0","versionType":"custom"}]},{"product":"visionOS","vendor":"Apple","versions":[{"lessThan":"26.4","status":"affected","version":"0","versionType":"custom"}]},{"product":"watchOS","vendor":"Apple","versions":[{"lessThan":"26.4","status":"affected","version":"0","versionType":"custom"}]}],"descriptions":[{"lang":"en","value":"A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26.4 and iPadOS 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to fingerprint the user."}],"problemTypes":[{"descriptions":[{"description":"An app may be able to fingerprint the user","lang":"en"}]}],"providerMetadata":{"dateUpdated":"2026-04-02T18:18:57.691Z","orgId":"286789f9-fbc2-4510-9f9a-43facdede74c","shortName":"apple"},"references":[{"url":"https://support.apple.com/en-us/126792"},{"url":"https://support.apple.com/en-us/126797"},{"url":"https://support.apple.com/en-us/126798"},{"url":"https://support.apple.com/en-us/126799"}]}},"cveMetadata":{"assignerOrgId":"286789f9-fbc2-4510-9f9a-43facdede74c","assignerShortName":"apple","cveId":"CVE-2026-28863","datePublished":"2026-03-25T00:32:20.260Z","dateReserved":"2026-03-03T16:36:03.972Z","dateUpdated":"2026-05-10T13:51:27.443Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-03-25 01:17:10","lastModifiedDate":"2026-05-10 14:16:49","problem_types":["NVD-CWE-noinfo","CWE-284","An app may be able to fingerprint the user","CWE-284 CWE-284 Improper Access Control"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*","versionEndExcluding":"26.4","matchCriteriaId":"F813DB63-2B55-4E0B-9073-5465C65F69D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*","versionEndExcluding":"26.4","matchCriteriaId":"01612D13-BE5B-43F8-B53E-5BF57F2A5B0C"},{"vulnerable":true,"criteria":"cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*","versionEndExcluding":"26.4","matchCriteriaId":"A906E2B7-B83B-4AD0-B00F-BEDEF2EDB844"},{"vulnerable":true,"criteria":"cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*","versionEndExcluding":"26.4","matchCriteriaId":"113B9705-BFF0-4357-B1AB-F57052F32361"},{"vulnerable":true,"criteria":"cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*","versionEndExcluding":"26.4","matchCriteriaId":"F6EAF0A5-7CFF-4EF6-9BC7-DB25B213F753"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"28863","Ordinal":"1","Title":"CVE-2026-28863","CVE":"CVE-2026-28863","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"28863","Ordinal":"1","NoteData":"A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26.4 and iPadOS 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to fingerprint the user.","Type":"Description","Title":"CVE-2026-28863"}]}}}