CVE-2026-28895 is a vulnerability in Apple iOS and iPadOS that affects devices with Stolen Device Protection enabled. This security feature is designed to protect sensitive applications by gating access behind biometric authentication, such as Face ID or Touch ID. However, the vulnerability allows an attacker who has physical possession of the device to bypass these biometric gates by using the device passcode instead. The flaw stems from insufficient verification checks in the authentication logic that governs access to biometrically protected apps. Specifically, the attacker can leverage the passcode authentication path to gain access to apps that should otherwise require biometric confirmation. This compromises the confidentiality of data within those protected apps without affecting data integrity or device availability. The vulnerability was addressed by Apple in iOS and iPadOS version 26.4, which introduced improved checks to ensure that biometric gating cannot be circumvented via passcode entry. The CVSS v3.1 base score is 4.6, reflecting a medium severity with an attack vector requiring physical access, low attack complexity, no privileges or user interaction needed, and a high impact on confidentiality. No known exploits have been reported in the wild, but the vulnerability poses a risk in scenarios where devices are lost, stolen, or otherwise physically compromised. The CWE-284 classification indicates an authorization bypass issue. This vulnerability highlights the importance of robust multi-factor authentication enforcement on mobile devices, especially for apps handling sensitive or protected data.

The primary impact of CVE-2026-28895 is the unauthorized disclosure of sensitive information stored within biometrically protected applications on iOS and iPadOS devices. Attackers with physical access can bypass biometric authentication by using the device passcode, potentially exposing confidential data such as personal information, corporate secrets, or financial details. This undermines the confidentiality guarantees of the Stolen Device Protection feature. While the vulnerability does not affect data integrity or device availability, the breach of confidentiality can lead to privacy violations, identity theft, corporate espionage, or regulatory non-compliance for organizations. The risk is heightened in environments where devices are frequently lost, stolen, or accessible to untrusted individuals, such as in field operations, travel, or shared device scenarios. Organizations relying on Apple mobile devices for sensitive communications or data storage may face increased exposure to insider threats or opportunistic attackers. Although no exploits are currently known in the wild, the vulnerability could be leveraged in targeted attacks against high-value individuals or organizations. Prompt patching is essential to mitigate these risks and maintain trust in device security controls.

To mitigate CVE-2026-28895, organizations and users should immediately update all affected iOS and iPadOS devices to version 26.4 or later, where the vulnerability has been fixed with improved authentication checks. Beyond patching, organizations should enforce strict device management policies including enabling full-disk encryption and strong passcodes to reduce the risk of passcode compromise. Deploy Mobile Device Management (MDM) solutions to enforce security configurations and remotely wipe lost or stolen devices promptly. Limit physical access to devices, especially in high-risk environments, and educate users on the importance of reporting lost or stolen devices immediately. For highly sensitive applications, consider implementing additional application-level encryption or multi-factor authentication mechanisms that do not rely solely on device biometrics or passcodes. Regularly audit device security settings and access logs to detect suspicious activity. Finally, maintain an incident response plan that includes procedures for handling potential data exposure resulting from physical device compromise.