Apple has rolled out a new way to deliver security fixes without forcing a full system update. It calls the mechanism Background Security Improvements, and its first real delivery patches CVE-2026-20643, a WebKit flaw that let a crafted web page bypass the same-origin policy.
What actually breaks
The bug lives in WebKit’s Navigation API, the engine behind Safari and every web view on iOS, iPadOS and macOS. Apple describes it as a cross-origin issue fixed with improved input validation. The same-origin policy is the wall that stops one site from reading another site’s data. When that wall fails, a malicious page can pose as a different site you trust and read information that should stay isolated across tabs or domains.
There is nothing to install and no odd permission to grant. The browser only has to process web content built to trigger the flaw. That is why the reach is wide: any app that renders pages with WebKit inherits the problem, not just Safari.
Security researcher Thomas Espach reported the bug. At the time of the patch there was no record of active exploitation.
Who is affected and which versions fix it
Apple fixed it in iOS 26.3.1, iPadOS 26.3.1 and macOS 26.3.1, with a follow-up delivery in macOS 26.3.2. If you run a Mac on the macOS Tahoe 26.x branch, this is how the fix reaches you.
Here is the notable part. Background Security Improvements only works on the latest system branch, 26.x, and applies silently in the background once you are up to date. It is Apple’s answer to the old problem of patches arriving late because users defer the big update. If you stayed on an earlier macOS branch, you do not get this automatic patch and would have to update the traditional way.
Severity and mitigation
The severity is high. A same-origin policy bypass opens the door to cross-site data theft, which is exactly what that policy exists to prevent. It stops short of code execution, but leaking session credentials or personal data from a trusted domain is serious.
The fix is straightforward: keep the device on the 26.x branch and leave background security updates enabled. On a Mac, check in System Settings that the machine is current and that Background Security Improvements shows as active. If you manage a fleet, confirm machines are on macOS 26.3.1 or later before closing the incident, because older or LTS-style branches do not get this silent delivery.
If you want the wider context of Apple’s March security work, the same cycle brought macOS Tahoe 26.4 with more than 70 CVEs fixed, including a root escalation in PackageKit.
Source
- Apple security releases: https://support.apple.com/en-us/100100
- NVD CVE-2026-20643: https://nvd.nist.gov/vuln/detail/CVE-2026-20643