Summaryinfo

A vulnerability classified as problematic was found in Apple iOS and iPadOS up to 26.2. Affected is an unknown function of the component App. Executing a manipulation can lead to information disclosure. This vulnerability is tracked as CVE-2026-20686. The attack is restricted to local execution. No exploit exists. Upgrading the affected component is advised.

Detailsinfo

A vulnerability has been found in Apple iOS and iPadOS up to 26.2 and classified as problematic. This vulnerability affects an unknown function of the component App. The manipulation with an unknown input leads to a information disclosure vulnerability. The CWE definition for the vulnerability is CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. As an impact it is known to affect confidentiality. CVE summarizes:

This issue was addressed with improved input validation. This issue is fixed in iOS 26.3 and iPadOS 26.3. An app may be able to access sensitive user data.

The advisory is shared for download at support.apple.com. This vulnerability was named CVE-2026-20686 since 11/11/2025. The exploitation appears to be easy. The attack needs to be approached locally. There are neither technical details nor an exploit publicly available. The current price for an exploit might be approx. USD $0-$5k (estimation calculated on 03/29/2026). The MITRE ATT&CK project declares the attack technique as T1592.

Upgrading to version 26.3 eliminates this vulnerability.

Once again VulDB remains the best source for vulnerability data.

Productinfo

Type

• Smartphone Operating System

Vendor

• Apple

Name

• iOS
• iPadOS

Version

• 26.0
• 26.1
• 26.2

License

• commercial

Website

• Vendor: https://www.apple.com/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion