CVE-2026-20674 is a privacy vulnerability identified in Apple’s iOS and iPadOS platforms that allows an attacker with physical access to a locked device to view sensitive user information. The root cause relates to improper handling or exposure of sensitive data on devices that are locked, potentially through UI elements or cached data accessible without authentication. This vulnerability falls under CWE-200, which covers the exposure of sensitive information to unauthorized actors. The issue was resolved in iOS and iPadOS version 26.3 by removing or securing the sensitive data that was previously accessible. The vulnerability has a CVSS 3.1 base score of 4.6, indicating a medium severity level. The vector metrics specify that the attack requires physical access (AV:P), has low attack complexity (AC:L), requires no privileges (PR:N), and no user interaction (UI:N). The impact is limited to confidentiality (C:H), with no impact on integrity or availability. No known exploits have been reported in the wild, suggesting limited active exploitation. However, the vulnerability poses a privacy risk especially in scenarios where devices could be lost, stolen, or briefly accessed by unauthorized individuals. The affected versions are unspecified but presumably all versions prior to 26.3. The vulnerability highlights the importance of securing sensitive data even on locked devices, as physical access can bypass some software protections if data is improperly exposed.

The primary impact of CVE-2026-20674 is the unauthorized disclosure of sensitive user information on Apple iOS and iPadOS devices when an attacker gains physical access to a locked device. This can lead to privacy violations, potential identity theft, or leakage of confidential information stored or displayed on the device. Although the vulnerability does not affect data integrity or device availability, the confidentiality breach can undermine user trust and expose organizations to compliance risks, especially those subject to data protection regulations like GDPR or HIPAA. For enterprises relying heavily on Apple mobile devices, this vulnerability could facilitate insider threats or opportunistic data theft if devices are lost or stolen. The lack of requirement for user interaction or authentication increases the risk in physical access scenarios such as theft, unattended devices, or shared environments. However, the medium severity and absence of known exploits reduce the immediate threat level, but timely patching is essential to prevent potential exploitation.

To mitigate CVE-2026-20674, organizations and users should promptly update all affected Apple devices to iOS and iPadOS version 26.3 or later, where the vulnerability has been addressed. Beyond patching, organizations should enforce strict physical security controls to prevent unauthorized access to devices, including policies for device handling, storage, and transport. Implementing strong device passcodes and enabling biometric authentication can add layers of protection, although this vulnerability specifically concerns data exposure on locked devices. Device encryption should be verified as enabled to protect stored data. Additionally, organizations should consider mobile device management (MDM) solutions to enforce security policies, remotely lock or wipe lost devices, and monitor device compliance. Regular security awareness training should emphasize the risks of physical device access and the importance of reporting lost or stolen devices immediately. Finally, auditing and reviewing device logs where possible can help detect suspicious physical access attempts.