APPLE has released a Background Security Improvement to patch a WebKit flaw that could let malicious sites bypass browser protections and access data from other sites, tracked as CVE-2026-20643. The vulnerability is described as a cross-origin issue in the Navigation API that could allow a website to read information that should be kept separate. In practical terms, an attacker would need to lure a user to a specially crafted page to bypass normal site isolation and access data from another tab or embedded content.
The update is available on top of versions 26.3.1/26.3.2 and applies silently in the background on the latest OS branch (26.x). It is available for Mac users running Tahoe 26.3.1 and MacBook Neo users running 26.3.2, and guidance is provided for checking updates on iOS, iPadOS and macOS, including enabling Automatic Updates.