CVE-2025-46288
Permission Escalation in Apple OSes Allows Payment Token Access
Publication date: 2025-12-17
Last updated on: 2026-04-02
Assigner: Apple Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apple | ipados | to 26.2 (exc) |
| apple | iphone_os | to 26.2 (exc) |
| apple | macos | to 26.2 (exc) |
| apple | visionos | to 26.2 (exc) |
| apple | watchos | to 26.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a permissions issue where an app may be able to access sensitive payment tokens without proper authorization. It was addressed by adding additional restrictions to prevent unauthorized access.
How can this vulnerability impact me? :
If exploited, this vulnerability could allow an app to access sensitive payment tokens, potentially leading to unauthorized transactions or exposure of payment information.
What immediate steps should I take to mitigate this vulnerability?
Apply the security updates by upgrading to visionOS 26.2, iOS 26.2, iPadOS 26.2, watchOS 26.2, or macOS Tahoe 26.2 as applicable to your devices to address the permissions issue and prevent unauthorized access to sensitive payment tokens.