CVE-2026-20655 is a medium-severity authorization vulnerability affecting Apple iOS and iPadOS devices. The root cause is an improper state management issue that allows an attacker who gains physical access to a locked device to bypass certain authorization checks and view sensitive user information. This could include personal data stored or accessible on the device, potentially compromising user privacy. The vulnerability does not require user interaction and can be exploited with low privileges, but physical access is mandatory. Apple addressed this issue by improving state management in iOS 26.3 and iPadOS 26.3, as well as iOS 18.7.5 and iPadOS 18.7.5. The CVSS v3.1 vector is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating local attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, high confidentiality impact, and no impact on integrity or availability. No public exploits have been reported yet, but the vulnerability poses a risk especially in scenarios involving lost or stolen devices. The CWE classification is CWE-287, which relates to improper authentication or authorization mechanisms.

The primary impact of CVE-2026-20655 is the unauthorized disclosure of sensitive user information on Apple iOS and iPadOS devices. This can lead to privacy violations, identity theft, or leakage of confidential corporate data if the device is used for business purposes. Since the vulnerability requires physical access, the risk is heightened in environments where devices may be lost, stolen, or temporarily accessible to unauthorized individuals. Although the vulnerability does not affect device integrity or availability, the exposure of sensitive data can have severe consequences for individuals and organizations, including reputational damage and regulatory compliance issues. Enterprises with mobile device fleets, especially those in regulated industries or handling sensitive information, face increased risk if devices are not promptly updated. The lack of known exploits in the wild reduces immediate risk but does not eliminate the potential for future exploitation.

To mitigate CVE-2026-20655, organizations and users should immediately apply the security updates provided by Apple in iOS 26.3, iPadOS 26.3, iOS 18.7.5, and iPadOS 18.7.5. Beyond patching, enforcing strong physical security controls is critical, including device encryption, strong passcodes, and biometric authentication to reduce the risk of unauthorized physical access. Organizations should implement mobile device management (MDM) solutions to enforce security policies, remotely lock or wipe lost or stolen devices, and monitor device compliance. Additionally, educating users on the importance of securing their devices and reporting lost or stolen hardware promptly can reduce exposure. Regular audits of device security posture and restricting sensitive data access on mobile devices can further minimize risk. Finally, consider enabling features like Apple’s Find My iPhone and activation lock to deter unauthorized use.