CVE-2026-28965 - Vulnerability Details

- Privacy Leakage via Lock‑Screen Previews on iOS and iPadOS

Description

A privacy issue was addressed with improved checks. This issue is fixed in iOS 26.5 and iPadOS 26.5. A user may be able to view restricted content from the lock screen.

Published: 2026-05-11

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability allows a user to view restricted content—content that is meant to be concealed—directly from the lock screen. The issue stems from insufficient checks in the lock‑screen display logic, enabling the disclosure of protected information to anyone who can access the device while it is locked. The primary impact is a privacy violation with potential leaks of sensitive personal data.

Affected Systems

Apple iOS and iPadOS devices running versions prior to 26.5 are affected. Apple addressed the issue in iOS 26.5 and iPadOS 26.5, so installations of those or later releases are not vulnerable.

Risk and Exploitability

The EPSS score is <1%, indicating a very low probability of exploitation. The CVSS score of 7.5 suggests moderate to high severity for a privacy violation. This vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a local user who can unlock the device to view restricted content, and the risk level appears to be low‑to‑moderate. The risk stems mainly from the ease of interaction—any user who can unlock the device can potentially see the restricted content—making it a low‑to‑moderate security concern for affected users. Nonetheless, the privacy impact warrants prompt remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apple

iOS and iPadOS

affected

Version	Status	Constraints
`0`	affected	< 26.5

Configuration 1 [-]

OR	cpe:2.3:o:apple:ipados::::::::
	cpe:2.3:o:apple:iphone_os::::::::

No data.

Vendor Product Confidence Versions

Apple

Ios And Ipados

100%

Version	Status	Scheme	Platform
`[0,26.5)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the device to iOS 26.5 or later, or to iPadOS 26.5 or later.
If an update is not immediately possible, adjust Settings → Face ID & Passcode → Allow Access When Locked to disable lock‑screen previews of restricted content.
If you manage devices via MDM, push a configuration profile that disables lock‑screen previews for restricted apps.

Generated by OpenCVE AI on May 12, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://support.apple.com/en-us/127110

History

Tue, 12 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
Title		Privacy Leakage via Lock‑Screen Previews on iOS and iPadOS

Tue, 12 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple ipados Apple iphone Os
CPEs		cpe:2.3:o:apple:ipados:::::::: cpe:2.3:o:apple:iphone_os::::::::
Vendors & Products		Apple ipados Apple iphone Os

Tue, 12 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
Title	Privacy Vulnerability: Lock Screen Content Disclosure
Weaknesses	CWE-200

Tue, 12 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-284
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 11 May 2026 23:30:00 +0000

Type	Values Removed	Values Added
Title		Privacy Vulnerability: Lock Screen Content Disclosure
Weaknesses		CWE-200

Mon, 11 May 2026 22:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple ios And Ipados
Vendors & Products		Apple Apple ios And Ipados

Mon, 11 May 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		A privacy issue was addressed with improved checks. This issue is fixed in iOS 26.5 and iPadOS 26.5. A user may be able to view restricted content from the lock screen.
References		https://support.apple.com/en-us/127110

Subscriptions

Apple Ios And Ipados Ipados Iphone Os

MITRE

Status: PUBLISHED

Assigner: apple

Published: 2026-05-11T20:08:02.593Z

Updated: 2026-05-12T13:27:10.166Z

Reserved: 2026-03-03T16:36:03.991Z

Link: CVE-2026-28965

Vulnrichment

Updated: 2026-05-12T13:27:01.680Z

NVD

Status : Analyzed

Published: 2026-05-11T21:18:57.493

Modified: 2026-05-12T18:46:25.137

Link: CVE-2026-28965

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-12T18:00:12Z

Weaknesses

CWE-284

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object