9to5Mac Security Bite is brought to you exclusively by Mosyle, Apple’s only Unified Platform. Everything we do is make Apple devices work-ready and business-safe. Our unique integrated security and management approach combines next-generation, Apple-specific security solutions for fully automated hardening and compliance, next-generation EDR, AI-powered zero trust, and proprietary privilege management with the most powerful and modern Apple MDM on the market. The result is a fully automated Apple Unified Platform, currently trusted by more than 45,000 organizations to get millions of Apple devices up and running effortlessly and at an affordable cost. Request your EXTENDED TEST today and understand why Mosyle is everything you need to work with Apple.
On Tuesday, along with the widespread release of iOS 26.4, which until then had been in beta, Apple released a major list of security patches. addressing more than 35 vulnerabilities. While most single-point releases generally come with a large number of fixes, there are a few notable ones here that I want to draw attention to.
Here are the ones that caught my attention.
About safety bite: The weekly safety bite column and biweekly podcast is your deep dive into the ever-evolving world of Apple security. Arin Waichulis is a certified IT professional and third-year security writer at 9to5Mac. Here, Arin breaks down the most critical headlines affecting privacy and security so you can stay better informed.
Stolen Device Protection Bypass
This is the biggest one. The vulnerability (CVE-2026-28895) allowed someone with physical access to an iPhone to bypass biometrically protected apps using only the passcode, even with stolen device protection enabled. This means that closed apps can still be accessed by the ‘Require Face ID’ option, which users can enable by long-pressing an app icon, using only the device’s passcode.
If you have been following Safety biteI recently broke down new changes to the protection of stolen devices back in February. One of them is that Apple now enables the feature by default in iOS 26.4.
The point of Stolen Device Protection is in the name. It’s there to render a stolen iPhone useless even if the thief has your password.
A derivation like the above completely undermines the function premise. Apple says the fix involved improved controls and the issue is now fixed.
If you are interested in knowing how stolen device protection came about, here’s the backstory.
A local attacker could access your keychain
CVE-2026-28864 is another one I find interesting. There aren’t many details on this, but according to Apple, a local attacker could gain access to Keychain items due to insufficient permissions checking.
Your keychain stores passwords, encryption keys, tokens, and more. A flaw here is a pretty serious local privilege escalation, and while it requires someone to physically have your device in their hand, that’s exactly a scenario Stolen Device Protection is designed for.
Your email privacy settings may not have been working…
CVE-2026-20692 revealed that “Hide IP Address” and “Block All Remote Content” may not have been applied to all email content. So if you had them turned on in Mail, there’s a chance that your The IP address was not hidden from senders and remote uploads continued to arrive.
It’s unclear how widespread this issue was, but silent features not working are never good.
Escape the Sandbox through Print
CVE-2026-20688 allowed an application to exit its sandbox due to a path handling issue in the print framework. This is part of AirPrint that allows users to print things wirelessly.
Sandbox escapes are always notable because they are a critical link in exploit chains. Once you exit the sandbox, the attack surface opens up considerably.
Bad month for WebKit
Seven CVEs plus one sandboxing issue. Highlights include a same-origin policy bypass (CVE-2026-20643), a content security policy bypass (CVE-2026-20665), and a bug that allowed a malicious website to process restricted web content outside the sandbox (CVE-2026-28859).
The latter is particularly worrying.
takeaway
None of them are listed as actively exploited in the wild, which is good news. But the severity of several of them is notable for a single point release.
A stolen device protection bypass, keychain access issues, and email privacy settings that silently fail are not the run-of-the-mill problems that users typically face.
I recommend updating to 26.4 on all your devices as soon as possible.
You can see the full list of patches for iOS 26.4, macOS 26.4, tvOS 26.4, iPadOS 26.4, and other platforms at Apple Security Releases Page.
Follow Arin Waichulis: LinkedIn, Rags, unknown
Subscribe to 9to5Mac Safety Bite Podcast For deep dives and biweekly interviews with Apple’s top researchers and security experts:
FTC: We use automatic affiliate links that generate income. Further.
