CVE-2026-20673

Vulnerability

Description A logic issue in the handling of the "Load remote content in messages” setting results in the setting not being applied to all mail previews. When users disable remote content loading to protect privacy, certain previews may still inadvertently load remote resources, such as images or tracking pixels. This flaw undermines the user's explicit privacy preference.

Attack

Vector An attacker can send a crafted email containing remote content (e.g., a tracking pixel) to a target user. If the user has disabled remote content loading but the setting fails to apply to certain mail previews, the remote content may still be loaded when the email is previewed. No authentication beyond sending an email is required, and the attack exploits the UI logic gap rather than requiring complex network access.

Impact

Successful exploitation allows an attacker to potentially track email opens, collect IP addresses, or load other remote resources without the user's knowledge or consent. This can lead to privacy violations and information leakage, as the user's action to block remote content is bypassed in specific preview scenarios.

Mitigation

Apple addressed this issue with improved checks in the operating system updates released on February 11, 2026: iOS 18.7.5 and iPadOS 18.7.5, macOS Sequoia 15.7.4, macOS Sonoma 14.8.4, and macOS Tahoe 26.3 [1][2][3][4]. Users are strongly advised to install these updates to ensure the setting is applied consistently across all mail previews.