Published on March 18, 2026
Apple WebKit Security Flaw Exposes iOS and macOS Users to Content-Based Bypass Attacks
Severity
High
Apple has issued an emergency security update to address a critical vulnerability within its WebKit engine that affects iPhone, iPad, and Mac devices. The flaw, identified as CVE-2026-20643, has the potential to allow attackers to bypass core browser security protections through specially crafted web content.
The vulnerability originates from improper handling within the Navigation API, which could enable threat actors to exploit cross-origin weaknesses. Successful exploitation may result in a violation of the Same Origin Policy, allowing unauthorized access to sensitive data such as session tokens, authentication details, and other protected resources.
Apple confirmed that the issue has been resolved by enhancing input validation mechanisms to prevent malicious payload execution. The fix was deployed on March 17, 2026, through Apple’s Background Security Improvements feature, allowing devices to receive patches without requiring a full OS update.
| CVE ID | Summary | Impact | CVSS Score |
| CVE-2026-20643 | Improper input validation in WebKit Navigation API allows malicious web content to bypass Same Origin Policy protections | Security control bypass, unauthorized data access, potential session compromise | 8.1 (High) |
Apple’s Background Security Improvements mechanism enables rapid deployment of critical fixes to key components such as Safari and system libraries. This approach ensures faster protection while minimizing user disruption.
Affected Products
The vulnerability impacts Apple devices running the following versions:
- iOS 26.3.1
- iPadOS 26.3.1
- macOS 26.3.1 and macOS 26.3.2
Background Security Improvements are supported on:
- iOS 26.1 and later
- iPadOS 26.1 and later
- macOS 26.1 and later
Recommendation
To reduce the risk of exploitation, users and administrators should ensure that automatic background security updates are enabled on all devices. This can be verified under the Privacy & Security settings, where the Background Security Improvements option should remain turned on.
Organizations should also monitor devices for abnormal browser behavior or signs of unauthorized cross-site access. Disabling automatic updates may delay critical protections, as fixes will only be applied during future full system updates.