CVE-2026-20655 Overview
CVE-2026-20655 is an authorization vulnerability affecting Apple iOS and iPadOS. An attacker with physical access to a locked device may bypass intended authorization checks and view sensitive user information. Apple addressed the issue through improved state management. The flaw is categorized under [CWE-287] Improper Authentication and requires local access with low privileges to exploit. No user interaction is required once physical access is obtained. Apple has released fixes in iOS 18.7.5, iPadOS 18.7.5, iOS 26.3, and iPadOS 26.3.
Critical Impact
An attacker with physical possession of a locked iPhone or iPad can access sensitive user data without unlocking the device, undermining lock screen confidentiality protections.
Affected Products
- Apple iOS versions prior to 18.7.5 and prior to 26.3
- Apple iPadOS versions prior to 18.7.5 and prior to 26.3
- iPhone and iPad devices running the affected operating system versions
Discovery Timeline
- 2026-02-11 - CVE-2026-20655 published to NVD
- 2026-04-02 - Last updated in NVD database
Technical Details for CVE-2026-20655
Vulnerability Analysis
The vulnerability resides in the state management logic that enforces authorization boundaries on a locked iOS or iPadOS device. Apple's advisory describes the root issue as an authorization flaw resolved through improved state management. When a device is in the locked state, certain interface flows or system services fail to consistently verify that the user is authenticated before exposing data.
The issue results in confidentiality impact without affecting integrity or availability. An attacker cannot modify data or disrupt device operation, but can read information that should remain protected behind the lock screen. The CWE-287 classification confirms the underlying weakness is improper authentication rather than memory corruption or injection.
Exploitation does not require network access, malware execution, or user interaction. The attacker only needs the physical device and knowledge of the interaction sequence that triggers the state inconsistency.
Root Cause
The root cause is inconsistent state tracking between the lock screen authorization layer and downstream components that display or handle user data. A specific sequence of inputs places the system into a state where authorization checks are not enforced, allowing sensitive information to be rendered or accessed on the locked screen.
Attack Vector
The attack vector is local and physical. An attacker who obtains a locked iPhone or iPad — for example, through theft, loss, or temporary unsupervised access — performs a specific sequence of interactions on the lock screen. This sequence triggers the state management flaw and reveals sensitive user information without requiring the device passcode, Face ID, or Touch ID authentication.
Apple has not published the specific interaction sequence in its advisories. Technical details are available in the Apple Support Document #126346 and Apple Support Document #126347.
Detection Methods for CVE-2026-20655
Indicators of Compromise
- No network-based indicators of compromise are associated with this vulnerability because exploitation is local and leaves no remote artifacts.
- Physical access events to lost or stolen devices should be treated as potential exploitation opportunities until the device is patched.
- Unexpected disclosures of data that should be protected by the lock screen may indicate exploitation.
Detection Strategies
- Inventory managed iOS and iPadOS devices through mobile device management (MDM) and identify endpoints running versions earlier than iOS 18.7.5 or iOS 26.3.
- Correlate device loss or theft reports with the patch status of the affected device to assess exposure of sensitive data.
- Audit MDM compliance policies to ensure minimum OS version requirements include the fixed releases.
Monitoring Recommendations
- Enable MDM-based OS version reporting and alert on devices that remain on vulnerable iOS or iPadOS builds.
- Monitor enterprise data access patterns from mobile devices for anomalous activity following reported physical loss.
- Track Apple security advisory releases to identify newly disclosed lock screen bypass issues affecting your fleet.
How to Mitigate CVE-2026-20655
Immediate Actions Required
- Update all iPhone and iPad devices to iOS 18.7.5, iPadOS 18.7.5, iOS 26.3, or iPadOS 26.3 or later.
- Enforce minimum OS version compliance through MDM and quarantine non-compliant devices from sensitive resources.
- For lost or stolen devices that have not been updated, initiate a remote wipe through Find My or MDM to prevent data exposure.
Patch Information
Apple released fixes in iOS 18.7.5, iPadOS 18.7.5, iOS 26.3, and iPadOS 26.3. Patch details and supported device lists are documented in Apple Support Document #126346 and Apple Support Document #126347. Users should install updates through Settings > General > Software Update.
Workarounds
- Reduce lock screen exposure by disabling sensitive widgets, notification previews, and Control Center access from the locked state in Settings > Face ID & Passcode.
- Limit Siri access on the lock screen to reduce the surface area for unauthenticated interactions with user data.
- Enable automatic data wipe after failed passcode attempts to limit exposure if a device is lost or stolen.
# Verify installed iOS or iPadOS version on a device
# Navigate to: Settings > General > About > Software Version
# Ensure value is >= 18.7.5 (iOS 18 branch) or >= 26.3 (iOS 26 branch)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

