Apple has strengthened protections in iOS 26.4 and macOS 26.4, closing a reported prompt injection weakness tied to on-device Apple Intelligence features.
The issue was discussed during RSAC, where security researchers said they were able to bypass Apple’s safeguards by feeding the model carefully crafted inputs. In one set of 100 tests, they reportedly reached a 76% success rate.
According to the researchers, one attack path used a method called Neural Exec. The idea was to create inputs that looked meaningless to people but still nudged the model into following hidden instructions.
A second technique relied on Unicode right-to-left override behavior to conceal malicious commands and slip past filtering systems. Once manipulated, the model could generate attacker-controlled output and, in some cases, influence app behavior through system APIs or expose sensitive data.
Researchers also argued that Apple’s hybrid design changes the risk profile rather than removing it. Running smaller models locally helps with privacy, but deep system integration can also widen the attack surface if those models accept adversarial input.
The report estimated that between 100,000 and 1 million users could have been exposed to this class of security risk. At the same time, the researchers said there were no confirmed real-world attacks when the findings were disclosed.
Their broader conclusion was pretty blunt: local AI models are not automatically safer just because they stay on the device. Privacy is one part of the equation, but resilience against adversarial prompts still matters if the model is tied closely to operating-system features.
For Apple users, the practical takeaway is simple. If you use devices with Apple Intelligence, installing iOS 26.4 or macOS 26.4 closes a meaningful AI security gap and is worth doing sooner rather than later.
