How can users protect themselves from this vulnerability?

Users should update their devices to iOS 18.7.8 or iOS 26.4.2, which include fixes for this vulnerability, to ensure that deleted notifications are properly removed from the device.

Why did Apple release an out-of-band update for this issue?

Apple released an out-of-band update to promptly address the data retention issue, ensuring that users' sensitive information is protected without waiting for the next scheduled update.

Apple Addresses CVE-2026-28950: Notification Data Retention Vulnerability in iOS and iPadOS

Apple's latest security updates fix a critical vulnerability where deleted notifications were unexpectedly retained on devices, highlighting the importance of timely software updates.

Published: April 22, 2026

Share this on:

Executive Summary

In April 2026, Apple released out-of-band security updates for iOS and iPadOS to address a vulnerability (CVE-2026-28950) where notifications marked for deletion were unexpectedly retained on devices. This flaw, present in versions prior to iOS 18.7.8 and iOS 26.4.2, could potentially allow unauthorized access to sensitive information through retained notifications. The issue was resolved by improving data redaction processes.

This incident underscores the critical importance of timely software updates and robust data management practices. It also highlights the potential risks associated with residual data storage, emphasizing the need for organizations to implement comprehensive data protection strategies to safeguard sensitive information.

Why This Matters Now

The CVE-2026-28950 vulnerability highlights the ongoing challenges in data privacy and security, emphasizing the necessity for organizations to stay vigilant and proactive in applying security updates to protect sensitive information from unauthorized access.

Attack Path Analysis

An attacker exploited a logging issue in iOS and iPadOS (CVE-2026-28950) to access notifications marked for deletion that were unexpectedly retained on the device. This allowed unauthorized access to sensitive information without the need for privilege escalation or lateral movement. The attacker established command and control by remotely accessing the device's notification storage. Exfiltration occurred as the attacker extracted the retained notification data. The impact was the unauthorized disclosure of sensitive user information.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

High

Command & Control

Medium

Exfiltration

High

Impact

High

Initial Compromise

Description

Exploited a logging issue in iOS and iPadOS (CVE-2026-28950) to access notifications marked for deletion that were unexpectedly retained on the device.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2026-28950
CVSS 4.3
A logging issue in Notification Services allowed notifications marked for deletion to be unexpectedly retained on the device.
Affected Products:
Apple iOS – 26.4.1 and earlier
Apple iPadOS – 26.4.1 and earlier
Exploit Status:
no public exploit
References:
https://support.apple.com/en-us/127002

MITRE ATT&CK® Techniques

Impact

T1565.001

Data Manipulation: Stored Data Manipulation

Defense Evasion

T1070.004

Indicator Removal: File Deletion

Impact

T1485

Data Destruction

Defense Evasion

T1630.002

Indicator Removal on Host: File Deletion

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Secure Storage of Cardholder Data

Control ID: 3.2.1

The retention of deleted notification data may lead to unauthorized access to sensitive information, violating secure storage requirements.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident indicates a failure in implementing effective data retention and deletion policies as required by the cybersecurity policy.

DORA – ICT Risk Management Framework

Control ID: Article 5

The unexpected retention of deleted data suggests deficiencies in the ICT risk management framework concerning data lifecycle management.

CISA ZTMM 2.0 – Data Lifecycle Management

Control ID: Data Security

The flaw exposes weaknesses in data lifecycle management, impacting the organization's zero trust architecture.

NIS2 Directive – Security of Network and Information Systems

Control ID: Article 21

The data retention issue reflects inadequate measures to ensure the security of network and information systems as mandated.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Financial Services

iOS notification data retention exposes sensitive financial communications, creating regulatory compliance risks under data protection requirements and potential forensic evidence concerns.

Health Care / Life Sciences

Retained notification data containing patient information violates HIPAA requirements, as encrypted messaging apps like Signal may leak sensitive healthcare communications through iOS storage.

Law Practice/Law Firms

Attorney-client privileged communications retained in iOS notifications despite deletion create significant legal exposure, as demonstrated by FBI's ability to recover Signal messages.

Government Administration

Government officials using iOS devices face data exposure risks from retained notifications, potentially compromising classified or sensitive communications despite using encrypted messaging platforms.

Sources

Apple fixes iOS bug that retained deleted notification datahttps://www.bleepingcomputer.com/news/security/apple-fixes-ios-bug-that-retained-deleted-notification-data/
Verified

About the security content of iOS 26.4.2 and iPadOS 26.4.2https://support.apple.com/en-us/127002

Verified

FBI extracts suspect's deleted Signal messages saved in iPhone notification databasehttps://www.404media.co/fbi-extracts-suspects-deleted-signal-messages-saved-in-iphone-notification-database-2/

Verified

Frequently Asked Questions

CVE-2026-28950 is a vulnerability in Apple's iOS and iPadOS where notifications marked for deletion could be unexpectedly retained on the device, potentially exposing sensitive information.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to exploit retained notifications, thereby reducing the scope of unauthorized data access.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's ability to exploit the logging issue to access retained notifications would likely have been constrained, reducing unauthorized data access.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to access sensitive information without elevated privileges would likely have been constrained, reducing unauthorized data access.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's ability to move laterally within the network would likely have been constrained, reducing the risk of further compromise.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's ability to establish remote access to the device's notification storage would likely have been constrained, reducing unauthorized data retrieval.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's ability to exfiltrate retained notification data from the device would likely have been constrained, reducing unauthorized data transfer.

Impact (Mitigations)

The unauthorized disclosure of sensitive user information would likely have been constrained, reducing the overall impact of the incident.

Impact at a Glance

Affected Business Functions

User Privacy Management
Data Retention Policies

Operational Disruption

Estimated downtime: N/A

Financial Impact

Estimated loss: N/A

Data Exposure

Potential retention of deleted notification data, including sensitive message content from applications like Signal.

Recommended Actions

• Implement data encryption for sensitive information at rest and in transit to prevent unauthorized access.
• Enforce strict access controls and authentication mechanisms to limit unauthorized access to device storage.
• Regularly audit and monitor logging mechanisms to identify and remediate unintended data retention issues.
• Apply timely security patches and updates to address known vulnerabilities like CVE-2026-28950.
• Educate users on security best practices to minimize the risk of data exposure through device vulnerabilities.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Apple Addresses CVE-2026-28950: Notification Data Retention Vulnerability in iOS and iPadOS

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2026-28950

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Data Manipulation: Stored Data Manipulation

Indicator Removal: File Deletion

Data Destruction

Indicator Removal on Host: File Deletion

Potential Compliance Exposure

PCI DSS 4.0 – Secure Storage of Cardholder Data

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Data Lifecycle Management

NIS2 Directive – Security of Network and Information Systems

Sector Implications

Financial Services

Health Care / Life Sciences

Law Practice/Law Firms

Government Administration

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads