Apple fixes iOS bug that exposed deleted Signal messages via notifications

Apple has released new security updates for iPhone and iPad, writes Bleeping Computer, addressing a vulnerability that could leave deleted messages accessible through notifications.

The updates, available for iOS 26.4.2 and iPadOS 26.4.2, as well as iOS 18.7.8 and iPadOS 18.7.8, fix a flaw tracked as CVE-2026-28950. The issue allowed notifications marked for deletion to remain stored on the device.

The vulnerability drew attention after the FBIwas able to recover deleted messages from Signal due to how iOS handles push notifications. According to case materials, incoming messages had been deleted from the app but remained in the iOS notification database.

Court documents published by the defence showed that the recovered data did not come from Signal’s encrypted message storage, but from iPhone notification logs. Even after the app was removed, incoming notifications were still retained in the device’s internal memory.

Signal thanked Apple for its “quick action” in fixing the vulnerability, which it said posed a risk to private conversations. The company also stressed the need to protect “the fundamental human right to private communication.”

Users are advised to install the update as soon as possible.

“Furthermore, it is possible to prevent Signal message content from being retained in the iOS notification data storage by going to Signal Settings > Notifications > Notification content and setting Show to ‘Name Only’ or ‘No Name or Content’,” Bleeping Computer reports.

Earlier, Pavel Durov commented on the situation, noting that in Telegram secret chats, message content is never displayed in push notifications.