Apple fixes a WebKit flaw that lets you bypass the same-origin policy on iOS and macOS.

On Tuesday, Apple released the first set of Background Security Improvements to fix a security hole in WebKit that affects iOS, iPadOS, and macOS This article explores ipados macos vulnerability. . The vulnerability, which is known as CVE-2026-20643 (CVSS score: N/A), is a cross-origin problem in WebKit's Navigation API that could be used to get around the same-origin policy when processing web content that was made to be malicious.

The problem is present in iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2. It has been fixed by better input validation in iOS 26.3.1 (a), iPadOS 26.3.1 (a), macOS 26.3.1 (a), and macOS 26.3.2 (a). Security researcher Thomas Espach has been credited with discovering and reporting the shortcoming.

Apple says that Background Security Improvements are meant to deliver lightweight security updates for parts of the system like the Safari browser, the WebKit framework stack, and other system libraries through smaller, ongoing security patches instead of larger software updates. Starting with iOS 26.1, iPadOS 26.1, and macOS 26, the feature will be supported and turned on for future releases. Apple says that if compatibility problems are found, the improvements may be taken away for a short time and then added back in a later software update.

The Settings app's Privacy and Security menu lets users change Background Security Improvements. Keeping the "Automatically Install" option on is a good idea to make sure that they are installed automatically.

If users choose to turn this setting off, they will have to wait until the next software update to get the improvements. In that sense, the feature is similar to Rapid Security Response, which was added in iOS 16 as a way to install small security updates. Apple said in a help document, "If you remove a Background Security Improvement, your device will go back to the baseline software update (for example, iOS 26.3) without any Background Security Improvements."

The news comes just over a month after Apple released fixes for a zero-day vulnerability (CVE-2026-20700, CVSS score: 7.8) that was being actively exploited and could let anyone run any code on iOS, iPadOS, macOS Tahoe, tvOS, watchOS, and visionOS. Last week, the company that makes the iPhone also added more patches for four security holes (CVE-2023-43010, CVE-2023-43000, CVE-2023-41974, and CVE-2024-23222) that were used in the Coruna exploit kit.