CVE-2026-28895

The issue was addressed with improved checks. This issue is fixed in iOS 26.4 and iPadOS 26.4. An attacker with physical access to an iOS device with Stolen Device Protection enabled may be able to access biometrics-gated Protected Apps with the passcode.

CVSS v3 4.6 MEDIUM

4.6^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.9 / Impact : 3.6

Attack Vector PHYSICAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://support.apple.com/en-us/126792	Vendor Advisory Release Notes

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:apple:ipados::::::::
	cpe:2.3:o:apple:iphone_os::::::::

History

26 Mar 2026, 18:58

Type	Values Removed	Values Added
CPE		cpe:2.3:o:apple:ipados:::::::: cpe:2.3:o:apple:iphone_os::::::::
First Time		Apple ipados Apple Apple iphone Os
Summary		(es) El problema se abordó con comprobaciones mejoradas. Este problema se corrigió en iOS 26.4 y iPadOS 26.4. Un atacante con acceso físico a un dispositivo iOS con Protección de Dispositivos Robados habilitada podría acceder a Aplicaciones Protegidas con autenticación biométrica usando el código de acceso.
References	~~() https://support.apple.com/en-us/126792 -~~	() https://support.apple.com/en-us/126792 - Vendor Advisory, Release Notes

25 Mar 2026, 21:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.6
CWE		CWE-284

25 Mar 2026, 01:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-25 01:17

Updated : 2026-03-26 18:58

NVD link : CVE-2026-28895

Mitre link : CVE-2026-28895

CVE.ORG link : CVE-2026-28895

JSON object : View

Products Affected

apple

ipados
iphone_os

CWE

CWE-284

Improper Access Control

4.6 /10