Apple has released its first documented round of Background Security Improvements to patch CVE-2026-20643, a WebKit vulnerability affecting iPhone, iPad, and Mac systems. According to Apple, the flaw could allow maliciously crafted web content to bypass the Same-Origin Policy, a core browser security boundary designed to stop websites from accessing data that belongs to a different origin.
Apple says the issue was caused by a cross-origin flaw in WebKit’s Navigation API and that it has been addressed through improved input validation. The company credits security researcher Thomas Espach with reporting the vulnerability.
The fix applies to iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2, and is delivered in the lightweight security releases labeled iOS 26.3.1 (a), iPadOS 26.3.1 (a), macOS 26.3.1 (a), and macOS 26.3.2 (a). Apple’s Background Security Improvements are designed to ship smaller security patches for components such as Safari, WebKit, and system libraries without waiting for a larger full OS update.
Apple says the feature is supported on future releases starting with iOS 26.1, iPadOS 26.1, and macOS 26.1, and that users can manage it from the Privacy & Security settings menu. If users disable automatic installation, they may not receive these mitigations until the protections are rolled into a later software update.
The practical significance of the flaw is that bypassing the Same-Origin Policy can weaken one of the browser’s most important isolation controls. While Apple has not published a CVSS score and did not say the issue was exploited in the wild, the bug affects a core web rendering component deployed across Apple’s mainstream platforms, which makes timely patching important for both consumer devices and enterprise-managed fleets.