Apple WebKit Vulnerability Lets Bad Web Content Bypass on iOS and macOS Apple has released important security updates to fix a serious WebKit vulnerability that lets bad web content get around the Same Origin Policy. These updates, which came out on March 17, 2026, work with the most recent versions of Apple's mobile and desktop operating systems. The Background Security Improvements feature sends the patch, which protects devices quickly without needing a long system reboot or a big software update installation.
CVE-2026-20643: Apple WebKit Security Hole Security researcher Thomas Espach found the flaw and reported it. It is now officially known as CVE-2026-20643. The problem comes from a cross-origin problem in the WebKit framework stack's Navigation API.
The Same Origin Policy is a basic security measure that most modern web browsers use. It limits how a document or script from one origin can use resources from another origin. When threat actors get around this protection by using web content that is made to be harmful.
They could steal authentication tokens, take over user sessions, or steal private information from trusted websites that the victim is currently on. Apple engineers fixed the Navigation API's underlying problem by adding better input validation, which closed the hole that let people navigate between different origins incorrectly. Apple sent out this fix as a Background Security Improvement instead of waiting for the next big software release.
These small updates, which came out with the 26.1 operating system versions, add important security features to things like the Safari browser, the WebKit framework stack, and a number of system libraries. Apple can quickly fix very serious security holes between regular updates thanks to this quick-response system. If a user has trouble with compatibility after a patch is applied, they can temporarily remove the patch.
This takes the device back to the baseline software update until the patch is officially improved and added to the next major release. The quick updates are only for iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2. To keep their devices safe from this WebKit flaw, users should check that their settings are set up to automatically accept updates.
Users can change these settings by going to the Privacy & Security menu in their device settings. You can find this right in the main Settings app on iPhones and iPads. Mac users can also get to it through the Apple menu and System Settings.
After that, users can check that the "Automatically Install" feature is on by choosing the Background Security Improvements option. If you turn off this setting, your devices will be open to cross-origin attacks until you manually install a standard software update. Follow LinkedIn, X, and X for daily cybersecurity updates. Get in touch with us to have your stories featured.
