Summary
CVE-2026-28950 is a medium-severity information disclosure vulnerability in Apple iOS and iPadOS caused by a Notification Services logging issue that allowed deleted notifications to remain stored on devices unexpectedly. The flaw could expose sensitive notification content, including private messages and authentication data, to anyone with local device access. Apple fixed the issue through improved data redaction in iOS/iPadOS 15.8.8, 16.7.16, 17.7.11, 18.7.8, and 26.4.2.
Urgent Actions Required
- Update affected iPhone and iPad devices to the latest patched iOS or iPadOS versions immediately.
- Restrict notification previews for sensitive applications where possible.
- Configure messaging applications to limit notification content visibility using settings such as “Name Only” or “No Name or Content.”
- Enforce strong device passcodes, biometric authentication, and physical device security controls.
- Use MDM compliance policies to identify and remediate devices running vulnerable operating system versions.
Which Systems Are Vulnerable to CVE-2026-28950?
Technical Overview
- Vulnerability Type: Information Disclosure via Retained Notification Data
-
Affected Software/Versions:
- iOS versions prior to 15.8.8
- iOS versions prior to 16.7.16
- iOS versions prior to 18.7.8
- iOS versions prior to 26.4.2
- iPadOS versions prior to 15.8.8
- iPadOS versions prior to 16.7.16
- iPadOS versions prior to 17.7.11
- iPadOS versions prior to 18.7.8
- iPadOS versions prior to 26.4.2
-
CVSS Vector: v3.1
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
-
Patch Availability: Yes, available
- About the security content of iOS 26.4.2 and iPadOS 26.4.2 - Apple Support
- About the security content of iOS 18.7.8 and iPadOS 18.7.8 - Apple Support
- About the security content of iPadOS 17.7.11 - Apple Support
- About the security content of iOS 16.7.16 and iPadOS 16.7.16 - Apple Support
- About the security content of iOS 15.8.8 and iPadOS 15.8.8 - Apple Support
How Does the CVE-2026-28950 Exploit Work?
The attack typically follows these steps:
What Causes CVE-2026-28950?
Vulnerability Root Cause:
This vulnerability was caused by a logging and data redaction issue in Apple’s Notification Services. Notifications marked for deletion were not fully removed from internal device storage, allowing notification content to remain retained unexpectedly. Because of this incomplete redaction process, sensitive information from deleted notifications could potentially be recovered from affected devices by someone with local access.
How Can You Mitigate CVE-2026-28950?
If immediate patching is delayed or not possible:
- Restrict notification previews for sensitive applications on affected devices.
- Set notification visibility to options such as “Name Only” or “No Name or Content” where supported.
- Disable notification content display for messaging and authentication applications.
- Enforce strong passcodes, Face ID, or Touch ID to reduce unauthorized local access risks.
- Use MDM policies to identify devices running vulnerable iOS or iPadOS versions.
- Limit physical access to devices that may contain sensitive notification data.
Which Assets and Systems Are at Risk?
-
Asset Types Affected:
- iPhone devices running vulnerable iOS versions
- iPad devices running vulnerable iPadOS versions
- Applications displaying sensitive notification content on affected devices
-
Business-Critical Systems at Risk:
- Messaging applications displaying notification previews
- Applications delivering one-time passcodes or authentication prompts through notifications
- Devices used for sensitive communications or enterprise access
-
Exposure Level:
- Devices running iOS or iPadOS versions prior to patched releases
- Devices containing sensitive notification data
- Devices accessible to unauthorized individuals with local or physical access
Will Patching CVE-2026-28950 Cause Downtime?
Patch application impact: Low. Updating to iOS/iPadOS 15.8.8, 16.7.16, 17.7.11, 18.7.8, or 26.4.2 requires standard device updates with minimal expected downtime.
Mitigation (if immediate patching is not possible): Limit notification previews, disable sensitive notification content, and enforce strong device authentication to reduce exposure until updates are installed.
How Can You Detect CVE-2026-28950 Exploitation?
Exploitation Signatures:
Retained notification content on affected iPhone or iPad devices after notifications were deleted or dismissed may indicate exposure related to CVE-2026-28950.
Indicators of Compromise (IOCs/IOAs):
- Notification content remaining in device logs or diagnostic data after deletion
- Devices running vulnerable iOS or iPadOS versions
- Recovered message previews, authentication prompts, or one-time passcodes from retained notification storage
Behavioral Indicators:
- Deleted notifications continue to exist in internal device storage
- Sensitive notification previews remain accessible after app removal or notification deletion
- Unexpected retention of notification-related data on affected devices
Alerting Strategy:
- Priority: Medium
-
Trigger alerts for:
- Monitor for devices running unpatched iOS or iPadOS versions
- Review diagnostic or sysdiagnose data for retained notification content
- Track unauthorized local or physical access to affected devices
Remediation & Response
-
Incident Response Considerations:
- Review affected devices for retained notification content in diagnostic or sysdiagnose data.
- Investigate devices exposed to unauthorized local or physical access.
- Identify whether sensitive notifications, authentication prompts, or message previews may have been retained.
- Use MDM compliance checks to identify devices still running vulnerable operating system versions.
Leverage Cyber Deception Techniques for Stronger Defense Strategies
- Learn how cyber deception disrupts attackers
- Explore practical deception strategies and technologies
- Improve threat detection and reduce attack impact
CVSS Breakdown Table
| Metric | Value | Description |
|---|---|---|
| Base Score | 6.2 | Medium-severity information disclosure vulnerability |
| Attack Vector | Local | Exploitation requires local or physical access to the device |
| Attack Complexity | Low | The issue does not require complex attack conditions |
| Privileges Required | None | No elevated privileges are required |
| User Interaction | None | No user action is needed for exploitation |
| Scope | Unchanged | The impact remains limited to the affected device |
| Confidentiality Impact | High | Sensitive notification data may be exposed |
| Integrity Impact | None | No unauthorized data modification is described |
| Availability Impact | None | The vulnerability does not affect device availability |
References:
