CVE-2026-20662 is an authorization vulnerability identified in Apple macOS that allows an attacker with physical access to a locked device to view sensitive user information. The root cause is an improper state management flaw that fails to adequately restrict access to sensitive data when the device is locked. This vulnerability does not require any user interaction or prior authentication, making it particularly concerning in scenarios where physical security is compromised. The issue affects macOS versions before Sequoia 15.7.4 and Tahoe 26.3, which include the fix. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information) and has a CVSS v3.1 base score of 4.6, indicating a medium severity level. The attack vector is physical access (AV:P), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The impact is high on confidentiality (C:H) but none on integrity (I:N) or availability (A:N). While no exploits have been reported in the wild, the vulnerability poses a risk to environments where devices may be left unattended or stolen. The fix involves improved state management to ensure proper authorization checks when the device is locked, preventing unauthorized data disclosure.

The primary impact of CVE-2026-20662 is the unauthorized disclosure of sensitive user information on macOS devices when physically accessed while locked. This can lead to privacy breaches, exposure of confidential data, and potential further exploitation if sensitive credentials or personal information are revealed. Although the attacker cannot modify data or disrupt system availability, the confidentiality breach alone can have serious consequences, especially for high-profile individuals, enterprises, or government entities. Organizations relying on macOS devices for sensitive operations or data storage face increased risk if devices are lost, stolen, or accessed by unauthorized personnel. The medium CVSS score reflects the limited attack vector (physical access required) but significant confidentiality impact. The absence of known exploits reduces immediate risk but does not eliminate the threat, particularly in environments with lax physical security controls.

To mitigate CVE-2026-20662, organizations and users should immediately update affected macOS devices to versions Sequoia 15.7.4 or Tahoe 26.3 or later, where the vulnerability is patched. Beyond patching, enforcing strict physical security controls is critical, including securing devices in locked rooms or cabinets, using cable locks, and implementing policies to prevent unauthorized physical access. Enabling full disk encryption (FileVault) adds an additional layer of protection by encrypting data at rest, reducing the risk of data exposure even if physical access is obtained. Organizations should also consider deploying endpoint detection and response (EDR) solutions to monitor for suspicious physical access or tampering. Regular security awareness training should emphasize the importance of device security and prompt reporting of lost or stolen devices. Finally, auditing and restricting access to sensitive information on devices can limit the potential damage if physical access is compromised.