Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS
Apple released Background Security Improvements to patch CVE-2026-20643, a WebKit vulnerability affecting iOS, iPadOS, and macOS that could bypass the same-origin policy via maliciously crafted web content. The flaw was discovered by security researcher Thomas Espach and fixed through improved input validation across multiple OS versions.
Summary
Apple released Background Security Improvements to patch CVE-2026-20643, a WebKit vulnerability affecting iOS, iPadOS, and macOS that could bypass the same-origin policy via maliciously crafted web content. The flaw was discovered by security researcher Thomas Espach and fixed through improved input validation across multiple OS versions.
Full text
Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS Ravie LakshmananMar 18, 2026Vulnerability / Zero-Day Apple on Tuesday released its first round of Background Security Improvements to address a security flaw in WebKit that affects iOS, iPadOS, and macOS. The vulnerability, tracked as CVE-2026-20643 (CVSS score: N/A), has been described as a cross-origin issue in WebKit's Navigation API that could be exploited to bypass the same-origin policy when processing maliciously crafted web content. The flaw affects iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2. It has been addressed with improved input validation in iOS 26.3.1 (a), iPadOS 26.3.1 (a), macOS 26.3.1 (a), and macOS 26.3.2 (a). Security researcher Thomas Espach has been credited with discovering and reporting the shortcoming. Apple notes that Background Security Improvements are meant for delivering lightweight security releases for components such as the Safari browser, WebKit framework stack, and other system libraries through smaller, ongoing security patches rather than issuing them as part of larger software updates. The feature is supported and enabled for future releases starting with iOS 26.1, iPadOS 26.1, and macOS 26. In cases where compatibility issues are discovered, the improvements may be temporarily removed and then enhanced in a subsequent software update, Apple adds. Users can control Background Security Improvements via the Privacy and Security menu in the Settings app. To ensure that they are automatically installed, it's advised to keep the "Automatically Install" option on. It's worth noting that if users opt to have this setting disabled, they will have to wait until the improvements are included in the next software update. Viewed in that light, the feature is analogous to Rapid Security Response, which it introduced in iOS 16 as a way to install minor security updates. "If a Background Security Improvement has been applied, and you choose to remove it, your device reverts to the baseline software update (for example, iOS 26.3) with no Background Security Improvements applied," Apple noted in a help document. The development comes little over a month after Apple issued fixes for an actively exploited zero-day impacting iOS, iPadOS, macOS Tahoe, tvOS, watchOS, and visionOS (CVE-2026-20700, CVSS score: 7.8) that could result in arbitrary code execution. Last week, the iPhone maker also expanded patches for four security flaws (CVE-2023-43010, CVE-2023-43000, CVE-2023-41974, and CVE-2024-23222) that were weaponized as part of the Coruna exploit kit. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE Tweet Share Share Share SHARE Apple, browser security, cybersecurity, iOS, MacOS, Patch Management, Vulnerability, WebKit, zero-day Trending News ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday Popular Resources Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths Identity Controls Checklist: Find Missing Protections in Apps
Indicators of Compromise
- cve — CVE-2026-20643