HomeIntelligenceBrief
🛡️ VULNERABILITY BRIEF🟠 High🛡️ Vulnerability

Apple WebKit Cross‑Origin Navigation API Flaw (CVE‑2026‑20643) Enables Data Access Across Sites

🛡️ LiveThreat™ Intelligence · 📅 March 19, 2026· 📰 malwarebytes.com
🟠
Severity
High
🛡️
Type
Vulnerability
🎯
Confidence
MEDIUM
🏢
Affected
3 sector(s)
Actions
5 recommended
📰
Source
malwarebytes.com

Apple WebKit Cross‑Origin Navigation API Flaw (CVE‑2026‑20643) Enables Data Access Across Sites

What It Is

A cross‑origin issue in WebKit’s Navigation API that allowed a malicious web page to bypass the same‑origin policy and read data from other sites visited in the same browser session. The bug affects Safari, Mail, and the App Store on iOS, iPadOS, and macOS.

Exploitability

No public evidence of active exploitation and no publicly released PoC. Apple issued a background security improvement, indicating the risk is considered high enough to patch before abuse is observed. A CVSS score has not yet been published, but the ability to steal cross‑site data rates the vulnerability as high severity.

Affected Products

  • Apple Safari (iOS 15+, iPadOS 15+, macOS 13+)
  • Apple Mail and App Store (any version using WebKit 26.3.x)
  • macOS “Tahoe” 26.3.1, macOS “MacBook Neo” 26.3.2, iOS/iPadOS 26.3.x (Background Security Improvements toggle required)

TPRM Impact

  • Enterprises that mandate Safari on corporate‑issued Apple devices face potential credential‑theft or data leakage via malicious web content.
  • SaaS providers delivering web‑based services to Apple users may see compromised session tokens if users are lured to a crafted page.
  • Supply‑chain risk: a compromised third‑party web app could harvest data from other vendor portals accessed in the same session, amplifying downstream exposure.

Recommended Actions

  • Ensure all managed Apple devices run the latest OS branch (26.x) and that the “Background Security Improvements” toggle is enabled.
  • Enforce automatic OS updates through MDM policies for iOS, iPadOS, and macOS.
  • Deploy web‑content filtering that blocks unknown or suspicious domains, especially those serving heavy JavaScript.
  • Review session‑token handling in your SaaS applications; adopt short‑lived tokens and enforce SameSite cookie attributes.
  • Update your vendor‑risk inventory to flag Apple WebKit as a high‑risk component and monitor for emerging exploit reports.

Source: https://www.malwarebytes.com/blog/news/2026/03/apple-patches-webkit-bug-that-could-let-sites-access-your-data

📰 Original Source
https://www.malwarebytes.com/blog/news/2026/03/apple-patches-webkit-bug-that-could-let-sites-access-your-data

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

🛡️

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →