Apple fixes iPhone bug that let FBI retrieve deleted Signal messages(CVE-2026-28950)

Zeljka Zorz, Editor-in-Chief, Help Net Security April 23, 2026 Share Apple fixes iPhone bug that let FBI retrieve deleted Signal messages(CVE-2026-28950) Apple has rolled out security updates for iPhones and iPads that fix CVE-2026-28950, a logging issue in Notification Services that made devices unexpectedly retain notifications marked for deletion. The vulnerability was patched following a recent report about the FBI accessing a suspect’s Signal message notification content on their iPhone, despite Signal being deleted from the device. As usual, Apple did not offer more details about the flaw; it just said that the issue was addressed with improved data redaction. The company also did not state that the vulnerability has been exploited, leaving it initially unconfirmed that CVE-2026-28950 is, indeed, the flaw that was leveraged by the authorities. (What was clear, however, was that the vulnerability that allowed them to retrieve Signal messages was not in the popular secure messaging app, but in Apple’s internal notification storage.) Signal ultimately confirmed that CVE-2026-28950 and the bug used by the FBI were one and the same. “We’re grateful to Apple for the quick action here, and for understanding and acting on the stakes of this kind of issue. It takes an ecosystem to preserve the fundamental human right to private communication,” the company stated. What you need to do Apple fixed CVE-2026-28950 on iOS and iPadOS 26, and iOS and iPadOS 18. The latter update is available for a host of older-generation iPhones and iPads. “Note that no action is needed for this fix to protect Signal users on iOS. Once you install the patch, all inadvertently-preserved notifications will be deleted and no forthcoming notifications will be preserved for deleted applications,” Signal pointed out. Users who don’t want any messages retained in their device’s notification storage can open their Signal app’s Settings, go to Notifications, and under the Notification content section choose the second (“Name Only”) or the third option (“No Name or Content”): The options in Signal’s “Notification content” settings This also prevents anyone who handles a user’s locked phone from reading (from the notifications) the content of Signal messages the user receives. Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here! More about Apple FBI iOS iPad privacy Signal vulnerability Share