CVE-2026-28950 Overview
CVE-2026-28950 is an information disclosure vulnerability affecting Apple iOS and iPadOS devices. The vulnerability stems from a logging issue where notifications marked for deletion could be unexpectedly retained on the device due to improper data redaction in the logging subsystem. This privacy-sensitive flaw (CWE-359: Exposure of Private Personal Information to an Unauthorized Actor) could allow unauthorized access to notification content that users believed had been deleted.
Critical Impact
Notifications marked for deletion by users may persist on the device, potentially exposing sensitive personal information to unauthorized parties with local device access.
Affected Products
- iOS 18.7.8 and earlier versions
- iPadOS 18.7.8 and earlier versions
- iOS 26.4.2 and earlier versions
- iPadOS 26.4.2 and earlier versions
Discovery Timeline
- 2026-04-22 - CVE-2026-28950 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-28950
Vulnerability Analysis
This vulnerability represents an information disclosure issue classified under CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor). The core problem lies in the iOS/iPadOS logging mechanism, which failed to properly redact notification data when users performed deletion operations.
When a user deletes a notification, the system should completely remove all traces of that notification's content. However, due to insufficient data redaction in the logging subsystem, the notification content could be inadvertently preserved in system logs. This creates a situation where sensitive information from notifications—which may include personal messages, financial alerts, authentication codes, or other private data—remains accessible on the device despite the user's explicit intent to delete it.
The vulnerability requires local access to exploit, meaning an attacker would need physical access to the device or the ability to execute code locally. While this limits the attack surface compared to network-exploitable vulnerabilities, it remains a significant privacy concern for users in scenarios involving device theft, shared devices, or forensic analysis.
Root Cause
The root cause of CVE-2026-28950 is improper data redaction within the iOS/iPadOS logging framework. When notifications are processed for deletion, the logging subsystem captures notification metadata and potentially content without applying appropriate redaction filters. This results in sensitive notification data being written to logs that persist beyond the notification's intended lifecycle.
Apple's logging infrastructure typically includes mechanisms to sanitize sensitive data before writing to logs. In this case, those mechanisms failed to properly identify and redact notification content during deletion operations, leaving a residual data footprint.
Attack Vector
The attack vector for this vulnerability is local access (AV:L). An attacker exploiting this vulnerability would need:
- Physical device access or local code execution capability on the target iOS/iPadOS device
- Access to system logs where the unredacted notification data is stored
- Knowledge of where the retained notification data resides within the logging infrastructure
Exploitation scenarios include:
- An attacker with temporary physical access to an unlocked device extracting log files
- Malicious applications with elevated privileges accessing log data
- Forensic analysis revealing notification content the user believed was deleted
- Device theft followed by log extraction through forensic tools
Since the vulnerability does not require user interaction (UI:N) and can be exploited without privileges (PR:N), the barrier to exploitation is primarily gaining local access to the device.
Detection Methods for CVE-2026-28950
Indicators of Compromise
- Unexpected retention of notification data in system logs after user deletion
- Presence of notification content in log files dated after the notification was marked for deletion
- Anomalous log file sizes that may indicate accumulation of unredacted notification data
- Evidence of unauthorized log file access or extraction attempts
Detection Strategies
- Monitor for unusual access patterns to iOS/iPadOS system log directories
- Implement mobile device management (MDM) policies to track log access events
- Deploy endpoint detection solutions capable of monitoring iOS/iPadOS file system activity
- Audit device access logs for signs of unauthorized physical access or connection to extraction tools
Monitoring Recommendations
- Enable SentinelOne Mobile Threat Defense to monitor for suspicious local access patterns on iOS/iPadOS devices
- Configure alerts for any attempts to access or extract system log files from managed devices
- Implement device attestation to detect jailbroken or compromised devices where log extraction would be easier
- Review MDM logs for unauthorized device connections or backup extraction attempts
How to Mitigate CVE-2026-28950
Immediate Actions Required
- Update all iOS devices to version 18.7.8 or iOS 26.4.2 or later immediately
- Update all iPadOS devices to version 18.7.8 or iPadOS 26.4.2 or later immediately
- Enforce device update policies through MDM solutions to ensure compliance
- Consider clearing device logs on affected devices prior to updating as an additional precaution
Patch Information
Apple has addressed this vulnerability by implementing improved data redaction in the logging subsystem. The fix ensures that notification content is properly sanitized before being written to logs, and that deletion operations remove all residual notification data.
Security updates are available through:
Users and administrators should apply these updates through standard iOS/iPadOS update mechanisms (Settings > General > Software Update) or through MDM-managed deployment.
Workarounds
- Restrict physical access to devices containing sensitive notification data
- Enable strong device authentication (Face ID, Touch ID, complex passcodes) to prevent unauthorized access
- Use MDM solutions to enforce encryption and remote wipe capabilities on managed devices
- Consider disabling notification previews for sensitive applications until patches are applied
- Limit the use of sensitive notifications on devices that cannot be immediately updated
# MDM Configuration Profile - Enforce minimum iOS version
# Deploy via your MDM solution to require patched versions
# Example: Restrict access until device meets minimum OS version
# Check device iOS version via MDM query
# Minimum required: iOS 18.7.8 or iOS 26.4.2
# Compliance policy recommendation:
# - Block access to corporate resources for non-compliant devices
# - Enable automatic OS update enforcement where supported
# - Configure notification restrictions for sensitive apps
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
