Apple Patches iOS Bug That Let Deleted Notifications, Including Signal Chat Previews, Be Recovered
Apple has fixed CVE-2026-28950, a logging flaw in iOS and iPadOS that caused deleted notifications—including chat message previews from apps like Signal—to be retained in a device database, a bug law enforcement exploited to recover messages from an unlocked iPhone.
Apple has released emergency security updates for iOS and iPadOS to address a concerning privacy vulnerability that allowed deleted notifications—including sensitive chat message previews—to be recovered from a device's internal database. The flaw, tracked as CVE-2026-28950, was exploited in at least one known case by law enforcement to retrieve Signal messages from a defendant's unlocked iPhone using standard forensic tools.
The vulnerability stemmed from a logging issue in Apple's notification system. According to Apple's advisory, "notifications marked for deletion could be unexpectedly retained on the device." This meant that even after a user dismissed a notification, deleted a conversation, or uninstalled the messaging app entirely, copies of the notification content—including message previews—remained stored in a database accessible to forensic software. The bug affected both iOS and iPadOS.
The most prominent example of exploitation was reported by 404 Media, involving the encrypted messaging app Signal. In a statement shared on X, Signal confirmed: "The FBI was able to forensically extract copies of incoming Signal messages from a defendant's iPhone, even after the app was deleted, because copies of the content were saved in the device's push notification database." This revelation underscores a fundamental tension between push notification infrastructure and user privacy: notifications must be processed by the operating system, which can log their content before encryption or deletion takes effect.
Apple addressed the issue in iOS and iPadOS versions 18.7.8 and 26.4.2. The fix is described as "improved data redaction" data redaction, meaning the operating system now properly scrubs notification content from its internal logs when a notification is deleted or the originating app is removed. Users are strongly advised to install the update immediately by navigating to Settings > General > Software Update and enabling automatic updates.
While the vulnerability has been patched, the incident highlights a broader privacy risk inherent in mobile push notification systems. Even end-to-end encrypted apps like Signal rely on Apple's push notification service to alert users of incoming messages, and the notification preview itself—often containing the message text—is processed by the OS before encryption can protect it. This creates a potential forensic recovery vector that security researchers have warned about for years.
For users seeking additional protection, Signal offers granular notification controls. Within the app's Settings > Notifications menu, users can disable message previews entirely, showing only the sender's name, or mute notifications for specific conversations. These settings prevent sensitive content from ever appearing in a notification, reducing the risk of future forensic recovery even if similar OS-level bugs emerge.
The CVE-2026-28950 patch serves as a reminder that privacy vulnerabilities can exist not just in apps, but in the underlying operating system services that apps rely on. As forensic tools become more sophisticated, the line between "deleted" and "recoverable" data continues to blur, making timely patching and proactive privacy settings essential for users handling sensitive communications.