Apple Maildrop Vulnerability Allows Metadata Manipulation

Apple’s Maildrop service generates iCloud.com attachment URLs with three unsigned, user-controlled parameters: f= (filename), sz= (file size), and uk= (user key). Modifying these parameters allows the landing page to display a custom filename, size, and inferred icon, while the CDN delivers the file with the altered filename. The issue was reported in July 2023 but remains unpatched as of April 2026, with Apple stating it is "prioritised for review." No visual indicators warn users that the metadata is sender-controlled.