Critical Same‑Origin Bypass in WebKit (CVE‑2026‑20643) Impacts iOS, iPadOS, macOS via Background Security Improvements
What It Is — Apple disclosed a cross‑origin bypass in the WebKit Navigation API (CVE‑2026‑20643). Malicious web content can evade the browser’s Same‑Origin Policy, potentially allowing data leakage across domains.
Exploitability — The flaw is actively exploitable in the wild; proof‑of‑concept code has been shared by the researcher. Apple issued a targeted “Background Security Improvements” (BSI) patch rather than a full OS release. CVSS is estimated at 7.8 (High).
Affected Products — iPhone (iOS 26.3.1), iPad (iPadOS 26.3.1), Mac (macOS 26.3.1 & 26.3.2). The BSI mechanism updates only the Safari/WebKit stack without a full OS upgrade.
TPRM Impact —
- Third‑party SaaS and internal web applications accessed from Apple devices are exposed to cross‑origin data theft until the BSI patch is applied.
- The new BSI delivery model introduces a supply‑chain risk: uninstalling a BSI update reverts devices to a vulnerable baseline, potentially breaking security controls across the vendor ecosystem.
Recommended Actions —
- Enforce the installation of all Background Security Improvements updates on all Apple devices used by vendors and employees.
- Integrate Apple OS version and BSI patch status into your third‑party asset inventory and continuous monitoring tools.
- Test BSI patches in a staging environment before wide rollout to detect rare compatibility issues.
- Communicate to partners that removal of BSI patches will re‑expose the WebKit flaw and must be avoided.
- Update your incident‑response playbooks to include WebKit Same‑Origin bypass scenarios.
Source: BleepingComputer