HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Apple WebKit Cross‑Origin Navigation API Flaw (CVE‑2026‑20643) Enables Data Access Across Sites

LiveThreat™ Intelligence · 📅 March 19, 2026· 📰 malwarebytes.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
MEDIUM
🏢
Affected
3 sector(s)
Actions
5 recommended
📰
Source
malwarebytes.com

Apple WebKit Cross‑Origin Navigation API Flaw (CVE‑2026‑20643) Enables Data Access Across Sites

What It Is

A cross‑origin issue in WebKit’s Navigation API that allowed a malicious web page to bypass the same‑origin policy and read data from other sites visited in the same browser session. The bug affects Safari, Mail, and the App Store on iOS, iPadOS, and macOS.

Exploitability

No public evidence of active exploitation and no publicly released PoC. Apple issued a background security improvement, indicating the risk is considered high enough to patch before abuse is observed. A CVSS score has not yet been published, but the ability to steal cross‑site data rates the vulnerability as high severity.

Affected Products

  • Apple Safari (iOS 15+, iPadOS 15+, macOS 13+)
  • Apple Mail and App Store (any version using WebKit 26.3.x)
  • macOS “Tahoe” 26.3.1, macOS “MacBook Neo” 26.3.2, iOS/iPadOS 26.3.x (Background Security Improvements toggle required)

TPRM Impact

  • Enterprises that mandate Safari on corporate‑issued Apple devices face potential credential‑theft or data leakage via malicious web content.
  • SaaS providers delivering web‑based services to Apple users may see compromised session tokens if users are lured to a crafted page.
  • Supply‑chain risk: a compromised third‑party web app could harvest data from other vendor portals accessed in the same session, amplifying downstream exposure.

Recommended Actions

  • Ensure all managed Apple devices run the latest OS branch (26.x) and that the “Background Security Improvements” toggle is enabled.
  • Enforce automatic OS updates through MDM policies for iOS, iPadOS, and macOS.
  • Deploy web‑content filtering that blocks unknown or suspicious domains, especially those serving heavy JavaScript.
  • Review session‑token handling in your SaaS applications; adopt short‑lived tokens and enforce SameSite cookie attributes.
  • Update your vendor‑risk inventory to flag Apple WebKit as a high‑risk component and monitor for emerging exploit reports.

Source: https://www.malwarebytes.com/blog/news/2026/03/apple-patches-webkit-bug-that-could-let-sites-access-your-data

📰 Original Source
https://www.malwarebytes.com/blog/news/2026/03/apple-patches-webkit-bug-that-could-let-sites-access-your-data

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Every gap like this maps to a control you can evidence.

The Verisq AI Trust Operations platform maps incidents to your control framework and collects the evidence continuously — so your Trust Center shows proof, not promises, when a buyer or auditor asks.

Explore the Verisq AI Trust Operations platform →