{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28895", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "state": "PUBLISHED", "assignerShortName": "apple", "dateReserved": "2026-03-03T16:36:03.981Z", "datePublished": "2026-03-25T00:32:11.314Z", "dateUpdated": "2026-04-02T18:16:49.698Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "An attacker with physical access to an iOS device with Stolen Device Protection enabled may be able to access biometrics-gated Protected Apps with the passcode"}]}], "affected": [{"vendor": "Apple", "product": "iOS and iPadOS", "versions": [{"version": "0", "status": "affected", "lessThan": "26.4", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "The issue was addressed with improved checks. This issue is fixed in iOS 26.4 and iPadOS 26.4. An attacker with physical access to an iOS device with Stolen Device Protection enabled may be able to access biometrics-gated Protected Apps with the passcode."}], "references": [{"url": "https://support.apple.com/en-us/126792"}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2026-04-02T18:16:49.698Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "CWE-284 Improper Access Control"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T20:20:47.896771Z", "id": "CVE-2026-28895", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:21:06.907Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-28895", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:20:47.896771Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:21:03.352Z"}}], "cna": {"affected": [{"vendor": "Apple", "product": "iOS and iPadOS", "versions": [{"status": "affected", "version": "0", "lessThan": "26.4", "versionType": "custom"}]}], "references": [{"url": "https://support.apple.com/en-us/126792"}], "descriptions": [{"lang": "en", "value": "The issue was addressed with improved checks. This issue is fixed in iOS 26.4 and iPadOS 26.4. An attacker with physical access to an iOS device with Stolen Device Protection enabled may be able to access biometrics-gated Protected Apps with the passcode."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "An attacker with physical access to an iOS device with Stolen Device Protection enabled may be able to access biometrics-gated Protected Apps with the passcode"}]}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2026-03-25T00:32:11.314Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28895", "state": "PUBLISHED", "dateUpdated": "2026-03-25T20:21:06.907Z", "dateReserved": "2026-03-03T16:36:03.981Z", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "datePublished": "2026-03-25T00:32:11.314Z", "assignerShortName": "apple"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "matchCriteriaId": "F813DB63-2B55-4E0B-9073-5465C65F69D6", "versionEndExcluding": "26.4", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "matchCriteriaId": "01612D13-BE5B-43F8-B53E-5BF57F2A5B0C", "versionEndExcluding": "26.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The issue was addressed with improved checks. This issue is fixed in iOS 26.4 and iPadOS 26.4. An attacker with physical access to an iOS device with Stolen Device Protection enabled may be able to access biometrics-gated Protected Apps with the passcode."}, {"lang": "es", "value": "El problema se abord\u00f3 con comprobaciones mejoradas. Este problema se corrigi\u00f3 en iOS 26.4 y iPadOS 26.4. Un atacante con acceso f\u00edsico a un dispositivo iOS con Protecci\u00f3n de Dispositivos Robados habilitada podr\u00eda acceder a Aplicaciones Protegidas con autenticaci\u00f3n biom\u00e9trica usando el c\u00f3digo de acceso."}], "id": "CVE-2026-28895", "lastModified": "2026-03-26T18:58:05.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T01:17:12.973", "references": [{"source": "product-security@apple.com", "tags": ["Vendor Advisory", "Release Notes"], "url": "https://support.apple.com/en-us/126792"}], "sourceIdentifier": "product-security@apple.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "iOS and iPadOS", "source": "cna", "vendor": "Apple"}, "product": "ios_and_ipados", "vendor": "apple"}], "analysis": {"en": {"generated_at": "2026-03-26T20:58:01.572111+00:00", "value": {"mitigation_remediation": ["Upgrade the device to iOS 26.4 or iPadOS 26.4 to apply the vendor patch.", "Verify that the operating system has been updated to the latest available security release.", "If an update is not immediately possible, consider disabling Stolen Device Protection as a temporary measure, noting that this may reduce device security."], "summary": {"action": "Apply Patch", "impact": "Unauthorized use of biometrics\u2011gated Protected Apps via physical access"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Apple iOS and iPadOS devices running any version prior to 26.4. The issue has been fixed in both operating systems with the 26.4 release.", "description_and_impact": "A flaw in the enforcement of Stolen Device Protection on iOS and iPadOS allows a physically present attacker to bypass the biometric requirement and unlock protected applications using only the device\u2019s passcode. The weakness is a missing or improper access control (CWE\u2011284). The compromise permits unauthorized data access or manipulation within the protected app\u2019s sandbox.", "risk_and_exploitability": "The CVSS base score of 4.6 indicates a moderate impact, while an EPSS score below 1% suggests a low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Attackers would need physical proximity to the device and the Stolen Device Protection feature enabled to attempt this attack."}}}}, "created": "2026-03-25T11:36:36.516091+00:00", "title": "Privilege Escalation via Physical Access to iOS Device with Stolen Device Protection", "updated": "2026-03-27T09:53:45.647510+00:00", "vendors": ["apple", "apple$PRODUCT$ios_and_ipados"]}