CVE-2026-20674 is a privacy vulnerability identified in Apple’s iOS and iPadOS operating systems, specifically affecting versions prior to 26.3. The flaw allows an attacker with physical access to a locked device to potentially view sensitive user information without needing any authentication or user interaction. This issue is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), indicating that sensitive data was not adequately protected or removed when the device was locked. The vulnerability arises because certain sensitive data remnants remain accessible on the device’s locked state, which could be exploited by an attacker who gains physical possession of the device. Apple resolved this issue by removing the sensitive data exposure in the iOS and iPadOS 26.3 updates. The CVSS v3.1 score of 4.6 reflects a medium severity with the vector AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, meaning the attack requires physical access but no privileges or user interaction, and impacts confidentiality but not integrity or availability. No exploits have been reported in the wild, suggesting limited active exploitation currently. However, the risk remains significant due to the widespread use of Apple mobile devices and the sensitive nature of the data potentially exposed.

The primary impact of CVE-2026-20674 is the unauthorized disclosure of sensitive user information on locked Apple iOS and iPadOS devices. This can lead to privacy violations, identity theft, or further targeted attacks if the exposed data includes credentials, personal identifiers, or confidential communications. Organizations relying on Apple mobile devices for sensitive communications or data storage could face data breaches or compliance violations if devices are lost or stolen and this vulnerability is exploited. The vulnerability does not affect device integrity or availability, so it does not enable device control or denial of service. However, the ease of physical access exploitation without authentication increases risk in environments where devices may be lost, stolen, or temporarily unattended. This threat is particularly relevant for high-profile individuals, enterprises with mobile workforces, and sectors handling sensitive personal or corporate data. The absence of known exploits in the wild reduces immediate risk but does not eliminate the potential for future attacks.

To mitigate CVE-2026-20674, organizations and users should promptly update all affected Apple devices to iOS and iPadOS version 26.3 or later, where the vulnerability has been fixed. Beyond patching, enforcing strong physical security controls is critical, such as restricting device access, using secure storage, and employing device tracking and remote wipe capabilities. Organizations should implement strict mobile device management (MDM) policies that enforce encryption, lock screen timeouts, and strong passcodes to reduce the risk of unauthorized physical access. Additionally, educating users about the risks of leaving devices unattended and encouraging immediate reporting of lost or stolen devices can limit exposure. For highly sensitive environments, consider disabling features that may expose data on the lock screen or using hardware security modules where available. Regular audits of device security posture and incident response plans for lost or compromised devices will further reduce impact.