Apple released iOS 26.4.2 and iOS 18.7.8 on April 22, patching a Notification Services flaw that stored deleted message previews on iPhones and iPads, the same vulnerability the FBI used to recover Signal communications from a suspect’s device in a federal terrorism prosecution in Texas.
The flaw, tracked as CVE-2026-28950, existed one layer below Signal’s end-to-end encryption. iOS cached incoming notification content in the push notification database when message previews were enabled, retaining it for up to a month even after messages were deleted or the app was removed.
Everyone’s screaming “Signal is broken” again because the FBI pulled deleted messages from an iPhone.
They were just sitting in Apple’s APNs notification cache from lock screen previews. Not a Signal vulnerability.
Turn previews off if you are worried. pic.twitter.com/x7bBxabwLb
— manipulate (@manipulate) April 9, 2026
“Notifications marked for deletion could be unexpectedly retained on the device,” Apple said in a security advisory, describing it as a logging issue addressed through improved data redaction.
The bug surfaced during a federal trial in Fort Worth tied to a July 4, 2025, attack on the Prairieland Immigration and Customs Enforcement (ICE) Detention Center in Alvarado, Texas. FBI agents testified they extracted incoming Signal messages from a defendant’s iPhone via the push notification database after the app was deleted.
“The FBI was able to forensically extract copies of incoming Signal messages from a defendant’s iPhone, even after the app was deleted, because copies of the content were saved in the device’s push notification database”
Oops— scriptjunkie (Matt) (@scriptjunkie1) April 9, 2026
Nine defendants were convicted on March 13, 2026, for material support to terrorists and attempted murder.
Investigators recovered only incoming message previews, not outgoing ones, meaning the FBI could determine what suspects received but not what they sent.
We are very happy that today Apple issued a patch and a security advisory. This comes following @404mediaco reporting that the FBI accessed Signal message notification content via iOS despite the app being deleted.
Apple’s advisory confirmed that the bugs that allowed this to…
— Signal (@signalapp) April 22, 2026
Signal said the patch requires no additional action from users. “Once you install the patch, all inadvertently-preserved notifications will be deleted, and no forthcoming notifications will be preserved for deleted applications,” the company said on X.
The Electronic Frontier Foundation (EFF) urged users to reconsider notification permissions. “For most app notifications, there’s no simple way to figure out what metadata might be gleaned, or if the notification is unencrypted or not,” the EFF said.
As of publication, it remains unclear how long law enforcement had known about the technique or whether it was used in other cases.
