Apple has issued an emergency update to fix a Notification Services flaw that caused deleted alerts to remain stored on devices, potentially exposing sensitive message content.
Tracked as CVE-2026-28950, the issue has been resolved in iOS 26.4.2 and iPadOS 26.4.2, with patches also released for older supported versions of Apple operating systems.
The company said the bug stemmed from a logging issue that allowed notifications marked for deletion to persist. Apple added that improved data redaction addresses the problem, but did not confirm whether the flaw had been exploited or how long retained data could remain accessible.
Notification Data Persistence Raises Privacy Concerns
The update follows reporting that forensic investigators recovered deleted Signal messages from an iPhone by accessing stored notification data rather than the app itself. According to 404 Media, message content remained available even after the app was removed because notifications had been cached in system storage.
Although Apple did not reference the case directly, its advisory reflects similar behavior. The company has not explained why notification content was retained or when the issue was introduced.
Signal welcomed the fix. "We're grateful to Apple for the quick action here, and for understanding and acting on the stakes of this kind of issue," the company said in an X post on Wednesday. "It takes an ecosystem to preserve the fundamental human right to private communication."
Patch Coverage and Mitigation Steps
The vulnerability impacts a broad range of iPhones and iPads, including iPhone 11 and later devices. Apple has also backported fixes to iOS 18.7.8 and iPadOS 18.7.8.
Users can reduce risk by:
-
Setting notification previews to "Name Only" or disabling message content
-
Installing the latest OS updates promptly
-
Reviewing notification settings for sensitive apps
The Electronic Frontier Foundation has warned that notifications may expose metadata or unencrypted content depending on implementation. Apple's update highlights how system-level features can introduce privacy risks, even when applications use encryption.
Image credit: Farknot Architect / Shutterstock.com