APPLE has issued an emergency update to fix a Notification Services flaw that caused deleted alerts to remain stored on devices, potentially exposing sensitive message content. Tracked as CVE-2026-28950, the issue has been resolved in iOS 26.4.2 and iPadOS 26.4.2, with patches also released for older supported versions of Apple operating systems.
The company said the bug stemmed from a logging issue that allowed notifications marked for deletion to persist, and it noted improved data redaction while not confirming whether the flaw had been exploited or how long retained data could remain accessible.
The update follows reporting that forensic investigators recovered deleted Signal messages from an iPhone by accessing stored notification data rather than the app itself, with 404 Media describing how message content remained available after the app was removed due to cached notifications in system storage. Signal welcomed the fix, while Apple’s advisory mirrors similar behaviour and the company has not explained why notification content was retained or when the issue was introduced.
To reduce risk, Apple backported fixes to iOS 18.7.8 and iPadOS 18.7.8, with recommendations such as setting notification previews to “Name Only” or disabling message content, installing the latest OS updates promptly, and reviewing notification settings for sensitive apps.