9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.
On Tuesday, along with the wide release of iOS 26.4, which had been in beta up until then, Apple dropped a hefty list of security patches addressing over 35 vulnerabilities. While most single-point releases usually come with a large number of fixes, there are a handful of notable ones here I want to bring attention to.
Here are the ones that caught my eye.
About Security Bite: The weekly Security Bite column and biweekly podcast is your deep dive into the ever-evolving world of Apple security. Arin Waichulis is a degreed IT professional and third-year security writer at 9to5Mac. Here, Arin takes a bite out of the most critical headlines impacting privacy and security so you can stay better informed.
Stolen Device Protection bypass
This is the biggest one. The vulnerability (CVE-2026-28895) allowed someone with physical access to an iPhone to bypass biometrically protected apps using only the passcode, even with Stolen Device Protection enabled. This means apps gated by the ‘Require Face ID’ option, which users can enable by long pressing an app icon, could still be accessed using just the device’s passcode.
If you’ve been following Security Bite, I recently broke down new Stolen Device Protection changes back in February. One of which is that Apple now enables the feature by default in iOS 26.4.
The whole point of Stolen Device Protection is in the name. It’s there to make a stolen iPhone useless even if the thief has your passcode.
A bypass like the one above undermines the feature’s premise entirely. Apple says the fix involved improved checks, and the issue is now patched.
If you’re interested in how Stolen Device Protection came to be, here’s the backstory.
A local attacker could access your Keychain
CVE-2026-28864 is another one that I find interesting. There’s not a whole lot of details on this one, but according to Apple, a local attacker could gain access to Keychain items due to insufficient permissions checking.
Your Keychain stores passwords, encryption keys, tokens, and more. A flaw here is a pretty serious local privilege escalation, and while it requires someone to physically have your device in hand, that’s exactly a scenario Stolen Device Protection is designed for.
Your Mail privacy settings may not have been working…
CVE-2026-20692 revealed that “Hide IP Address” and “Block All Remote Content” may not have applied to all mail content. So if you had those toggled on in Mail, there’s a chance that your IP address wasn’t hidden from senders, and remote loads were still getting through.
It’s not clear how widespread this issue was, but silent features silently not working is never good.
Sandbox escape through Printing
CVE-2026-20688 allowed an app to break out of its sandbox via a path handling issue in the Printing framework. This is part of AirPrint that lets users wirelessly print things.
Sandbox escapes are always notable because they’re a critical link in exploit chains. Once you’re out of the sandbox, the attack surface opens up considerably.
Bad month for WebKit
Seven CVEs plus a sandboxing issue. The highlights include a Same Origin Policy bypass (CVE-2026-20643), a Content Security Policy bypass (CVE-2026-20665), and a bug that allowed a malicious website to process restricted web content outside the sandbox (CVE-2026-28859).
That last one is particularly concerning.
The takeaway
None of these are listed as actively exploited in the wild, which is the good news. But the severity of several of these is notable for a single-point release.
A Stolen Device Protection bypass, Keychain access issues, and Mail privacy settings silently failing are not your run-of-the-mill issues that users typically face.
I recommend updating to 26.4 on all your devices as soon as possible.
You can view the full list of patches for iOS 26.4, macOS 26.4, tvOS 26.4, iPadOS 26.4, and other platforms on Apple’s security releases page.
Follow Arin Waichulis: LinkedIn, Threads, X
Subscribe to the 9to5Mac Security Bite Podcast for biweekly deep dives and interviews with leading Apple security researchers and experts:
FTC: We use income earning auto affiliate links. More.
Comments