Apple has released a Background Security Improvements update to fix a WebKit vulnerability that could let malicious web content bypass the browser’s same-origin policy on iOS, iPadOS, and macOS.
The flaw, tracked as CVE-2026-20643, is described as a cross-origin issue in WebKit’s Navigation API. According to reporting from The Hacker News, the bug could be exploited with specially crafted web content, potentially allowing unauthorized access across website boundaries. Apple did not list a CVSS score, which is common in its security advisories.
The same-origin policy is one of the web’s core security controls. It is designed to stop a page from one site from reading or interfering with data from another. A bypass in that boundary can create opportunities for attackers to access sensitive session data, expose content from authenticated sites, or chain the bug with other browser flaws for broader compromise.
The fix matters beyond Safari. WebKit underpins Apple’s browser engine across the platform, including many in-app browsers and embedded web views. That gives the issue a wider reach across consumer and enterprise devices, especially where users access email, SSO portals, and internal web apps from the same device.
Apple has increasingly used smaller, faster security delivery mechanisms, including Background Security Improvements, to push targeted fixes without waiting for larger OS updates. For defenders, that shortens patch windows on high-risk browser bugs, but it also means organizations need visibility into how quickly managed devices receive these updates.
Apple has not publicly disclosed whether CVE-2026-20643 was exploited in the wild. Users and administrators should ensure affected devices are updated and review browser and web-view exposure where untrusted content is routinely opened. For users handling sensitive traffic on public networks, using a VPN can reduce some interception risks, though it does not mitigate browser-engine flaws.
