{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-46288", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "state": "PUBLISHED", "assignerShortName": "apple", "dateReserved": "2025-04-22T21:13:49.959Z", "datePublished": "2025-12-17T20:46:42.281Z", "dateUpdated": "2026-04-02T18:14:14.560Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "An app may be able to access sensitive payment tokens"}]}], "affected": [{"vendor": "Apple", "product": "iOS and iPadOS", "versions": [{"version": "0", "status": "affected", "lessThan": "26.2", "versionType": "custom"}]}, {"vendor": "Apple", "product": "macOS", "versions": [{"version": "0", "status": "affected", "lessThan": "26.2", "versionType": "custom"}]}, {"vendor": "Apple", "product": "visionOS", "versions": [{"version": "0", "status": "affected", "lessThan": "26.2", "versionType": "custom"}]}, {"vendor": "Apple", "product": "watchOS", "versions": [{"version": "0", "status": "affected", "lessThan": "26.2", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2, watchOS 26.2. An app may be able to access sensitive payment tokens."}], "references": [{"url": "https://support.apple.com/en-us/125884"}, {"url": "https://support.apple.com/en-us/125886"}, {"url": "https://support.apple.com/en-us/125890"}, {"url": "https://support.apple.com/en-us/125891"}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2026-04-02T18:14:14.560Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "CWE-284 Improper Access Control"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-12-18T19:12:57.774821Z", "id": "CVE-2025-46288", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-18T19:29:20.420Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"affected": [{"vendor": "Apple", "product": "iOS and iPadOS", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "26.2", "versionType": "custom"}]}, {"vendor": "Apple", "product": "visionOS", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "26.2", "versionType": "custom"}]}, {"vendor": "Apple", "product": "macOS", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "26.2", "versionType": "custom"}]}, {"vendor": "Apple", "product": "watchOS", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "26.2", "versionType": "custom"}]}], "references": [{"url": "https://support.apple.com/en-us/125884"}, {"url": "https://support.apple.com/en-us/125891"}, {"url": "https://support.apple.com/en-us/125886"}, {"url": "https://support.apple.com/en-us/125890"}], "descriptions": [{"lang": "en", "value": "A permissions issue was addressed with additional restrictions. This issue is fixed in visionOS 26.2, iOS 26.2 and iPadOS 26.2, watchOS 26.2, macOS Tahoe 26.2. An app may be able to access sensitive payment tokens."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "An app may be able to access sensitive payment tokens"}]}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2025-12-17T20:46:42.281Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-46288", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-18T19:12:57.774821Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2025-12-18T19:13:33.104Z"}}]}, "cveMetadata": {"cveId": "CVE-2025-46288", "state": "PUBLISHED", "dateUpdated": "2025-12-17T20:46:42.281Z", "dateReserved": "2025-04-22T21:13:49.959Z", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "datePublished": "2025-12-17T20:46:42.281Z", "assignerShortName": "apple"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "matchCriteriaId": "EA029506-5678-444B-93B5-27DAD643A1C0", "versionEndExcluding": "26.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "matchCriteriaId": "6276FDCA-3407-4FDD-8437-B57C98A97084", "versionEndExcluding": "26.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "matchCriteriaId": "FBA92B6D-E36C-432B-A041-94D81427CD75", "versionEndExcluding": "26.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*", "matchCriteriaId": "EB10D901-4800-4DF9-AB35-48017C178161", "versionEndExcluding": "26.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*", "matchCriteriaId": "15574823-ECE0-4394-99BC-6AFA34E599CC", "versionEndExcluding": "26.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2, watchOS 26.2. An app may be able to access sensitive payment tokens."}], "id": "CVE-2025-46288", "lastModified": "2026-04-02T19:21:04.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-12-17T21:16:14.010", "references": [{"source": "product-security@apple.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://support.apple.com/en-us/125884"}, {"source": "product-security@apple.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://support.apple.com/en-us/125886"}, {"source": "product-security@apple.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://support.apple.com/en-us/125890"}, {"source": "product-security@apple.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://support.apple.com/en-us/125891"}], "sourceIdentifier": "product-security@apple.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T20:25:30.561472+00:00", "value": {"mitigation_remediation": ["Upgrade the operating system on every Apple device to iOS\u202f26.2, iPadOS\u202f26.2, macOS\u202f26.2, visionOS\u202f26.2, or watchOS\u202f26.2 or later.", "Enforce a mandatory update policy through MDM or system settings to ensure all devices receive the latest security patches automatically.", "Audit installed applications for payment\u2011token access and revoke or update any that hold unnecessary permissions; consider resetting compromised tokens with the payment provider."], "summary": {"action": "Patch", "impact": "Untrusted App Access to Payment Tokens"}, "threat_synthesis": {"affected_systems": "Apple iOS, iPadOS, macOS, visionOS, and watchOS versions earlier than 26.2 are impacted. Devices running these older releases could permit an application to access sensitive payment tokens.", "description_and_impact": "A permissions oversight in Apple operating systems allowed applications to read stored payment tokens, facilitating theft of confidential payment credentials. This flaw results from improper access control (CWE\u2011284). The CVSS score of 5.5 reflects a moderate severity; the vulnerability is not listed in CISA KEV, indicating no known widespread exploitation. The impact could compromise user financial data if the flaw is abused.", "risk_and_exploitability": "The EPSS score is reported as less than 1\u202f%, indicating a low probability of exploitation. The flaw appears to require local app execution, with no remote attack vector described, so risk is confined to users who install or allow potentially malicious applications. Despite the low exploitation probability, the loss of sensitive payment data warrants swift remediation."}}}}, "created": "2025-12-18T09:55:57.715179+00:00", "title": "Apple OS Permission Issue Allowing Access to Payment Tokens", "updated": "2026-04-22T20:30:26.772629+00:00", "vendors": ["apple", "apple$PRODUCT$ios", "apple$PRODUCT$ipad_os", "apple$PRODUCT$ipados", "apple$PRODUCT$macos", "apple$PRODUCT$macos_tahoe", "apple$PRODUCT$visionos", "apple$PRODUCT$watch_os", "apple$PRODUCT$watchos"]}