CVE-2026-20655 is an authorization vulnerability identified in Apple’s iOS and iPadOS platforms that allows an attacker with physical access to a locked device to bypass certain state management controls and view sensitive user information. The root cause is an improper handling of authorization states within the operating system, which fails to adequately restrict access to protected data when the device is locked. This flaw does not require user interaction but does require the attacker to have physical possession of the device, making it a local attack vector with low complexity. The vulnerability affects multiple versions of iOS and iPadOS prior to 18.7.5 and 26.3, which include the security fix. The CVSS v3.1 base score is 5.5, reflecting a medium severity level, with a vector indicating local attack (AV:L), low attack complexity (AC:L), low privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), and no impact on integrity or availability (I:N/A:N). The vulnerability is categorized under CWE-287 (Improper Authentication), highlighting the failure to properly enforce authorization checks. No known exploits have been reported in the wild, but the potential for sensitive data exposure on locked devices poses a significant privacy risk. The issue was addressed by Apple through improved state management in the affected operating system versions.

The primary impact of CVE-2026-20655 is the unauthorized disclosure of sensitive user information on locked iOS and iPadOS devices. This can lead to privacy violations, exposure of personal or corporate data, and potential downstream attacks if sensitive information is leveraged by adversaries. Since the vulnerability requires physical access, the risk is higher in environments where devices may be lost, stolen, or temporarily accessed by unauthorized individuals. The confidentiality impact is high, but there is no direct effect on data integrity or system availability. Organizations that use Apple mobile devices for sensitive communications, corporate data access, or secure transactions may face increased risk of data leakage. The medium severity rating reflects the balance between the high confidentiality impact and the limited attack vector requiring physical access and low privileges. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially in targeted attacks or espionage scenarios.

To mitigate CVE-2026-20655, organizations and users should promptly update all affected Apple devices to iOS 18.7.5, iPadOS 18.7.5, iOS 26.3, or iPadOS 26.3 where the vulnerability is fixed. Beyond patching, enforcing strict physical security controls is critical to prevent unauthorized physical access to devices, including secure storage, use of strong passcodes, and enabling device encryption. Organizations should implement policies for rapid reporting and response to lost or stolen devices, including remote wipe capabilities. Additionally, enabling biometric authentication and limiting lock screen data exposure can reduce the risk of sensitive information leakage. Regular security awareness training should emphasize the importance of physical device security. Monitoring for unusual access patterns or device tampering can also help detect potential exploitation attempts. Finally, organizations should review and minimize sensitive data stored on mobile devices where feasible to reduce exposure.