CVE-2026-28895 is a security vulnerability discovered in Apple’s iOS and iPadOS operating systems, specifically affecting devices with the Stolen Device Protection feature enabled. This feature is designed to protect sensitive applications by gating access behind biometric authentication methods such as Face ID or Touch ID. However, due to insufficient verification checks in the authentication logic, an attacker who gains physical access to the device can bypass these biometric gates by entering the device passcode, thereby gaining unauthorized access to Protected Apps that should otherwise require biometric confirmation. The vulnerability stems from a flaw in how the system validates the passcode in the context of biometric gating, allowing the passcode to override biometric restrictions improperly. Apple addressed this issue in iOS and iPadOS version 26.4 by implementing improved checks that ensure biometric gating cannot be bypassed using the passcode alone. The vulnerability does not appear to be exploited in the wild at this time. Exploitation requires physical possession of the device and knowledge or successful guessing of the passcode, which limits remote or large-scale exploitation but poses a significant risk in scenarios involving device theft or loss. This vulnerability affects all versions prior to 26.4, and impacts both iPhones and iPads running vulnerable iOS or iPadOS versions. The flaw undermines the confidentiality and integrity of protected applications, potentially exposing sensitive user data or corporate information stored within these apps.

The primary impact of CVE-2026-28895 is unauthorized access to biometrically protected applications on iOS and iPadOS devices when an attacker has physical access and the device passcode. This can lead to exposure of sensitive personal or corporate data, including financial, health, or proprietary information stored within Protected Apps. For organizations, this vulnerability can compromise mobile device management (MDM) policies and data protection strategies that rely on biometric gating as a security layer. The breach of biometric protections reduces user trust in device security and may facilitate further attacks if sensitive credentials or data are accessed. While remote exploitation is not possible, the risk is significant in environments where devices are lost, stolen, or temporarily unattended. The vulnerability could also aid insider threats or attackers with brief physical access. The absence of known exploits in the wild reduces immediate risk, but the potential impact on confidentiality and integrity is high, especially for sectors handling sensitive data such as finance, healthcare, government, and enterprise environments.

To mitigate the risk posed by CVE-2026-28895, organizations and users should promptly update all affected iOS and iPadOS devices to version 26.4 or later, where the vulnerability is fixed. Device management policies should enforce timely OS updates and restrict physical access to devices, especially in high-risk environments. Additionally, organizations should consider implementing stronger passcode policies, such as longer alphanumeric passcodes, to reduce the likelihood of passcode guessing. Employing remote wipe and device tracking capabilities can help mitigate damage if a device is lost or stolen. Users should be educated about the risks of physical device loss and the importance of biometric and passcode security. For highly sensitive applications, consider additional application-level encryption or multi-factor authentication mechanisms beyond device biometrics and passcodes. Regular security audits and penetration testing of mobile device security controls can help identify and remediate similar weaknesses proactively.