Description
A privacy issue was addressed with improved handling of user preferences. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. "Hide IP Address" and "Block All Remote Content" may not apply to all mail content.
Published: 2026-03-25
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privacy leakage (IP address exposure and unblocked remote content)
Action: Patch
AI Analysis

Impact

This vulnerability arises from inadequate enforcement of user‑defined privacy settings in Apple’s mail handling. The system fails to honor the “Hide IP Address” preference, allowing an email’s originating IP address to be visible to anyone who examines the message header or content. In addition, the “Block All Remote Content” option may not be applied to every piece of mail, letting external web resources load even when the user has opted to block them. The effect is a privacy breach that enables tracking and potential execution of remote content without user consent.

Affected Systems

Apple iOS 26.4 and earlier, iPadOS 26.4 and earlier, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5 and macOS Tahoe 26.4 are impacted. Any device running a version prior to the fixes listed in the Apple support references is potentially vulnerable.

Risk and Exploitability

The CVSS score of 5.3 reflects a moderate impact; the EPSS score of under 1 % indicates a low likelihood of widespread exploitation. The vulnerability is not listed in CISA’s KEV catalog, suggesting it has not yet been observed in the wild at large scale. Exploitation would occur via crafted email content that takes advantage of the disregard for the privacy preferences, primarily affecting mail users who rely on these settings to prevent IP leakage or remote content loading.

Generated by OpenCVE AI on March 27, 2026 at 21:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest OS update (iOS 26.4, iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, or macOS Tahoe 26.4) to replace the vulnerable components.
  • If an update is not immediately available, manually disable remote content or use the built‑in block settings in the Mail app as a temporary protective measure.
  • Refer to Apple’s support documentation (https://support.apple.com/en-us/126792, https://support.apple.com/en-us/126794, https://support.apple.com/en-us/126795, https://support.apple.com/en-us/126796) for detailed guidance on verifying and applying the patches.

Generated by OpenCVE AI on March 27, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 29 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Title Apple OS Privacy Leaks in Mail Preferences
Weaknesses CWE-200

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title Privacy Exposure in Mail Preferences
Weaknesses CWE-200

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Title Privacy Exposure in Mail Preferences
Weaknesses CWE-200

Thu, 26 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple ipados
Apple iphone Os
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
Vendors & Products Apple ipados
Apple iphone Os
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Title Email Client Preference Leakage: IP Address Exposure Despite Privacy Settings
Weaknesses CWE-200

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Title Email Client Preference Leakage: IP Address Exposure Despite Privacy Settings
Weaknesses CWE-200

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios And Ipados
Apple macos
Vendors & Products Apple
Apple ios And Ipados
Apple macos

Wed, 25 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description A privacy issue was addressed with improved handling of user preferences. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. "Hide IP Address" and "Block All Remote Content" may not apply to all mail content.
References

Subscriptions

Apple Ios And Ipados Ipados Iphone Os Macos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:08:10.058Z

Reserved: 2025-11-11T14:43:07.876Z

Link: CVE-2026-20692

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2026-03-25T01:17:06.017

Modified: 2026-03-27T20:16:25.400

Link: CVE-2026-20692

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:28:40Z

Weaknesses