CVE-2026-28895
Passcode Bypass Enables Unauthorized Access to Biometrics-Gated Apps on iOS
Publication date: 2026-03-25
Last updated on: 2026-03-26
Assigner: Apple Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apple | ipados | to 26.4 (exc) |
| apple | iphone_os | to 26.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves a security flaw in iOS and iPadOS devices with Stolen Device Protection enabled. An attacker who has physical access to such a device may be able to bypass biometric protections and access apps that are normally gated by biometrics by using the device passcode.
How can this vulnerability impact me? :
If exploited, this vulnerability could allow an attacker with physical access to your iOS or iPadOS device to access sensitive apps that are protected by biometric authentication, using only the device passcode. This could lead to unauthorized access to personal or confidential information stored within those apps.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update your iOS and iPadOS devices to version 26.4 or later, where the issue has been fixed with improved checks.
Ensure that Stolen Device Protection is enabled on your devices to help protect biometrics-gated Protected Apps.