CVE-2026-20661 Overview
CVE-2026-20661 is an authorization vulnerability affecting Apple iOS and iPadOS. The flaw stems from improper state management within the operating system's lock screen authorization logic. An attacker with physical access to a locked device may view sensitive user information without authenticating. Apple addressed the issue through improved state management in iOS 18.7.5, iPadOS 18.7.5, iOS 26.3, and iPadOS 26.3. The vulnerability is categorized under [CWE-285] Improper Authorization and requires physical proximity to the target device.
Critical Impact
An attacker with physical access to a locked iPhone or iPad can bypass authorization controls and view sensitive user data without unlocking the device.
Affected Products
- Apple iOS versions prior to 18.7.5
- Apple iPadOS versions prior to 18.7.5
- Apple iOS versions prior to 26.3 and iPadOS versions prior to 26.3
Discovery Timeline
- 2026-02-11 - CVE-2026-20661 published to NVD
- 2026-04-02 - Last updated in NVD database
Technical Details for CVE-2026-20661
Vulnerability Analysis
The vulnerability resides in the authorization state management of iOS and iPadOS. The operating system fails to correctly track lock state when servicing certain user interface requests. As a result, an attacker can access information that should only be available after device unlock. The flaw maps to [CWE-285] Improper Authorization, indicating the system grants access without verifying the caller's authorization context.
The attack vector is physical, which limits scale but raises risk for lost or stolen devices. Confidentiality impact is rated high, while integrity and availability remain unaffected. The EPSS score is 0.021%, reflecting a low probability of opportunistic exploitation in the wild.
Root Cause
The root cause is a state management error in the authorization pathway. Specific iOS subsystems do not reevaluate the device lock state before exposing sensitive UI elements or data. Apple's advisory describes the fix as "improved state management," indicating that the patched code adds checks to ensure the lock state is enforced consistently across the affected component.
Attack Vector
Exploitation requires physical possession of the locked device. The attacker interacts with the locked interface through supported gestures, accessory invocations, or interface elements that trigger the vulnerable code path. No user interaction from the device owner is required, and no credentials are needed. Apple has not published specific reproduction steps, and no public proof-of-concept exploit is available.
The vulnerability mechanism is described in Apple Support Advisory #126346 and Apple Support Advisory #126347. No verified exploit code has been released.
Detection Methods for CVE-2026-20661
Indicators of Compromise
- No network-based indicators exist because exploitation requires physical access to the device.
- Unexpected access to sensitive screens such as messages, photos, or notifications without prior unlock events recorded in device logs.
- Reports from users that information was visible on a locked device they did not unlock.
Detection Strategies
- Use Mobile Device Management (MDM) tooling to enumerate iOS and iPadOS versions across the fleet and flag devices running versions below 18.7.5 or 26.3.
- Correlate physical security incidents such as lost or stolen device reports with the device's patch status.
- Review device unlock and screen activation telemetry available through enterprise mobility platforms for anomalous patterns.
Monitoring Recommendations
- Continuously monitor iOS and iPadOS version compliance through MDM compliance policies.
- Alert on devices that fail to install the security update within defined SLAs.
- Track lost and stolen device reports and accelerate remote wipe procedures when affected device versions are involved.
How to Mitigate CVE-2026-20661
Immediate Actions Required
- Update all iPhones to iOS 18.7.5 or iOS 26.3, and all iPads to iPadOS 18.7.5 or iPadOS 26.3.
- Enforce automatic updates through MDM policies to ensure timely patching across the device fleet.
- For high-risk users, verify the patched version is installed before granting access to sensitive corporate resources.
Patch Information
Apple released fixes in iOS 18.7.5, iPadOS 18.7.5, iOS 26.3, and iPadOS 26.3. Details are available in Apple Support Advisory #126346 and Apple Support Advisory #126347. The patch implements improved state management within the affected authorization logic.
Workarounds
- No software workaround exists prior to applying the patch. Apply the vendor update as the primary remediation.
- Reduce physical exposure by enabling strong passcodes and configuring shorter auto-lock intervals.
- Disable lock screen access to features that expose sensitive data, such as notifications, Siri suggestions, and Control Center on the lock screen, until devices are patched.
# Verify installed iOS or iPadOS version on a managed device via MDM query
# Example: Apple MDM DeviceInformation query key
OSVersion
BuildVersion
ProductName
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
