Apple released its first round of Background Security Improvements to address CVE-2026-20643, a cross-origin issue in WebKit’s Navigation API that could bypass the same-origin policy — one of the most fundamental security guarantees in web browsers.
The vulnerability could be exploited when processing maliciously crafted web content, potentially allowing attackers to access data from other origins. Security researcher Thomas Espach discovered and reported the flaw.
Fixed in iOS 26.3.1(a), iPadOS 26.3.1(a), macOS 26.3.1(a), and macOS 26.3.2(a). Apple’s new Background Security Improvements system delivers lightweight security patches for Safari, WebKit, and other system libraries outside of major software releases, enabling faster response to critical vulnerabilities.