Apple patches WebKit flaw that could let malicious web content bypass browser protections

Apple has released a security fix for a WebKit vulnerability that could let maliciously crafted web content bypass the Same Origin Policy on iPhones, iPads, and Macs. Apple tracks the issue as CVE-2026-20643 and says it was fixed through its new Background Security Improvements system on March 17, 2026.

According to Apple, the flaw was a cross-origin issue in the Navigation API. The company says processing malicious web content could bypass the Same Origin Policy, which is one of the browser’s core protections for keeping data from different sites isolated from each other.

Apple credited security researcher Thomas Espach with reporting the issue. The company says it addressed the bug with improved input validation.

Which Apple platforms are affected

Apple says the background patch applies to iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2. The fix appears in Apple’s public security releases list as a Background Security Improvements update released on March 17, 2026.

This is important because Apple did not ship the fix as a normal full OS release. Instead, it used Background Security Improvements, which Apple describes as a way to deliver lightweight security releases for components such as Safari, the WebKit framework stack, and system libraries between standard software updates.

What Background Security Improvements means for users

Apple says Background Security Improvements are supported starting with iOS 26.1, iPadOS 26.1, and macOS 26, and they install automatically when the setting is enabled. That lets Apple push smaller security fixes without making users wait for the next larger platform update.

Apple also says that if a background improvement causes a compatibility problem, it can be temporarily removed. If that happens, the device reverts to the baseline software version until Apple ships a later update with the fix integrated more fully.

Why this WebKit bug matters

Apple’s advisory does not say the flaw was actively exploited. Still, the impact is serious because Same Origin Policy bypasses can weaken a basic browser security boundary. In practical terms, that could create paths for cross-site data access that should normally be blocked. This is an inference based on Apple’s impact statement that maliciously crafted web content may bypass Same Origin Policy.

The issue also shows why Apple built this new rapid patching system. WebKit and Safari process untrusted web content constantly, so shipping a smaller background fix can reduce exposure faster than waiting for a major OS release. This is an inference based on Apple’s description of Background Security Improvements as lightweight security releases for Safari, WebKit, and related components.

Apple WebKit CVE-2026-20643 at a glance

What users should do

• Make sure automatic installation for Background Security Improvements stays enabled. Apple says these fixes install automatically when supported and enabled.
• Check that your device is on a supported baseline version, including iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, or macOS 26.3.2.
• Avoid disabling the feature unless you are troubleshooting a compatibility problem, because Apple says removing the improvement reverts the device to the baseline update without the background fix applied.

FAQ