CVE-2026-20662 is an authorization vulnerability in Apple macOS that allows an attacker with physical access to a locked device to bypass certain access controls and view sensitive user information. The root cause is improper state management within the operating system's authorization mechanisms, which fails to adequately restrict access to protected data when the device is locked. This flaw enables unauthorized disclosure of confidential information without requiring user interaction or authentication, increasing the risk of data exposure if the device is physically compromised. Apple addressed this issue by improving state management in macOS Sequoia 15.7.4 and macOS Tahoe 26.3. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS v3.1 base score is 4.6, reflecting medium severity, with an attack vector limited to physical access, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality only. There are no known exploits in the wild, but the vulnerability poses a risk in scenarios where devices are left unattended or stolen. The lack of impact on integrity and availability reduces the overall severity but does not diminish the importance of patching to protect sensitive data.

The primary impact of CVE-2026-20662 is the unauthorized disclosure of sensitive user information on macOS devices when an attacker gains physical access to a locked machine. This can lead to privacy violations, leakage of confidential corporate or personal data, and potential further exploitation if the exposed information includes credentials or other sensitive details. Organizations with mobile or remotely used Apple devices are particularly vulnerable, as physical access attacks are more feasible in such contexts. Although the vulnerability does not allow modification or disruption of system operations, the confidentiality breach alone can have serious consequences, including regulatory compliance violations and reputational damage. The absence of known exploits in the wild suggests limited current exploitation, but the medium severity rating indicates a meaningful risk that should be addressed promptly.

To mitigate CVE-2026-20662, organizations should immediately update all affected macOS devices to macOS Sequoia 15.7.4 or macOS Tahoe 26.3 or later, where the vulnerability is fixed. Beyond patching, organizations should enforce strict physical security controls to limit unauthorized access to devices, including secure storage, use of cable locks, and controlled access environments. Implementing full disk encryption with strong passphrases can reduce the risk of data exposure if physical access occurs. Additionally, enabling features such as automatic device lock after short inactivity periods and requiring strong authentication methods (e.g., biometrics combined with passcodes) can further protect sensitive information. Regular security awareness training should emphasize the risks of leaving devices unattended. Monitoring for unusual access patterns or attempts to bypass lock screens can also help detect exploitation attempts. Finally, organizations should maintain an inventory of Apple devices and ensure timely deployment of security updates.