CVE-2026-20680

Vulnerability

Overview CVE-2026-20680 is a security issue in Apple operating systems where a sandboxed app may be able to access sensitive user data. The root cause is insufficient restrictions on the observability of app states, allowing a malicious or compromised app to observe state information from other apps. The exact mechanism is not publicly detailed, but the issue was addressed by adding additional restrictions on app state observability.

Exploitation

To exploit this vulnerability, an attacker would need to have a sandboxed app installed on the target device. No special network position or authentication is required beyond the app's sandboxed environment. The app could observe app states of other applications, potentially leaking sensitive data. The attack surface is local, requiring the user to have installed the malicious app.

Impact

Successful exploitation could allow a sandboxed app to access sensitive user data, such as personal information, credentials, or other private data stored or processed by other apps. The impact is limited to data accessible through app state observation, but could lead to privacy breaches.

Mitigation

Apple has released patches for this issue across multiple operating systems: iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Sequoia 15.7.4, macOS Sonoma 14.8.4, and macOS Tahoe 26.3 [1][2][3][4]. Users are advised to update their devices to the latest available versions to mitigate the risk.