Technology company Apple has released a new security update to address a vulnerability in the WebKit engine that could allow attackers to bypass important browser security protections on its operating systems.
The issue, tracked as CVE-2026-20643, affects devices running iOS, iPadOS, and macOS. According to Apple, the flaw could allow malicious websites to bypass the browser’s same origin policy when handling specially crafted web content.
Although the vulnerability does not yet have a public CVSS score, it has been classified as a cross origin issue related to WebKit’s Navigation API.
Affected Systems and Patch Availability
The vulnerability impacts the following software versions:
- iOS 26.3.1
- iPadOS 26.3.1
- macOS 26.3.1
- macOS 26.3.2
Apple addressed the flaw through improved input validation mechanisms in the following security updates:
- iOS 26.3.1 (a)
- iPadOS 26.3.1 (a)
- macOS 26.3.1 (a)
- macOS 26.3.2 (a)
The security issue was discovered and responsibly disclosed by security researcher Thomas Espach.
WebKit Vulnerability and Security Risks
The flaw resides within WebKit, the web engine responsible for rendering websites in the Safari browser and other Apple applications.
If exploited successfully, attackers could bypass the same origin policy, one of the core security mechanisms designed to prevent websites from accessing data belonging to other domains.
By exploiting this weakness, malicious websites may attempt to access sensitive information from other sites open in the browser session.
Introduction of Background Security Improvements
The fix was delivered through Apple’s Background Security Improvements system, a mechanism designed to distribute smaller security updates more frequently without requiring a full operating system upgrade.
This feature allows Apple to deliver security fixes for components such as:
- The Safari browser
- The WebKit framework stack
- Core system libraries
Instead of waiting for a large software update, these improvements can be deployed as lightweight security patches.
Background Security Improvements are supported beginning with:
- iOS 26.1
- iPadOS 26.1
- macOS 26
Apple notes that if compatibility issues appear after deployment, the update may temporarily be withdrawn and later reintroduced with additional improvements.
Managing Security Improvements on Apple Devices
Users can manage Background Security Improvements through the Privacy and Security section in the device settings.
To ensure that patches are installed automatically, Apple recommends keeping the Automatically Install option enabled.
If the feature is turned off, the security improvements will only be applied once they are bundled into a future full software update.
This update mechanism functions similarly to Rapid Security Response, a feature introduced with iOS 16 to deliver urgent security fixes.
Apple also explains that if a background security improvement is removed manually, the device will revert to the base operating system version without the applied security patch.
Recent Apple Security Updates
The latest patch arrives shortly after Apple addressed another security vulnerability that was actively exploited in real world attacks.
The flaw, tracked as CVE-2026-20700, could allow attackers to execute arbitrary code on affected systems. The vulnerability carried a CVSS score of 7.8 and affected multiple Apple platforms including macOS, iOS, tvOS, watchOS, and visionOS.
Additionally, Apple recently expanded security protections for several older vulnerabilities, including:
- CVE-2023-43010
- CVE-2023-43000
- CVE-2023-41974
- CVE-2024-23222
These vulnerabilities were reportedly exploited using the Coruna exploit kit in targeted cyber attacks.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
