Apple has released a Background Security Update that addresses a newly uncovered flaw tracked as CVE-2026-20643, the effects of which span its smartphone, tablet, desktop and notebook product ecosystems.
CVE-2026-20643, credited to security researcher Thomas Espach, affects the WebKit browser engine, specifically its Navigation application programming interface (API).
According to Apple, the CVE-2026-20643 bug enables a threat actor to bypass a web browser security mechanism called the Same Origin Policy if the target device processes maliciously crafted web content. Apple said it had now addressed this issue with improved input validation.
“WebKit is the underlying technology that powers Safari and other browsers on iOS. The flaw, CVE-2026-20643, specifically affects the Same Origin Policy, which stops one website from accessing another’s personal information. By exploiting the vulnerability, maliciously crafted web content could potentially access data from another site,” said Adam Boynton, senior enterprise strategy manager at Apple device management and security specialist Jamf.
In layman’s terms, to take advantage of CVE-2026-20643, a threat actor would need to lure their victim – most likely via a phishing email – to visit a malicious website.
For organisations, it’s crucial to ensure this update is issued immediately as any postponements will leave devices and operations vulnerable. More importantly, users should set updates to be issued automatically, so there’s no window for attackers to exploit Adam Boynton, Jamf
At that point, the malicious page would attempt to bypass the isolation enforced by the Same Origin Policy, which restricts how documents and scripts loaded from one origin interact with resources from another.
Ultimately, its purpose is to isolate malicious elements or documents, so it serves as a critical factor in endpoint security.
Successfully exploited, the flaw could enable a threat actor to view data from other open browser tabs, for example. In the wrong circumstances, this may grant them the ability to see and steal credentials as a stepping stone to persistent and further attacks, or exfiltrate sensitive data for extortion.
Jamf’s Boynton said: “For organisations, it’s crucial to ensure this update is issued immediately as any postponements will leave devices and operations vulnerable. More importantly, users should set updates to be issued automatically, so there’s no window for attackers to exploit.”
What are background updates?
This is the first ever Background Security Update issued by Apple, which touts the feature as a means to push additional security protections live in-between its more regular software updates.
It describes Background Security Updates as “lightweight security releases” for components such as the Safari web browser or, as in this case, the WebKit framework stack, that may benefit from smaller, ongoing patches on a more frequent cadence.
Background Security Updates also mean users will not have to go through the bother of applying a whole new version of their device’s operating system, along with everything that entails. Instead, the updates can be swiftly aimed at and deployed to individual system components.
Although Apple devices should have background updates applied automatically, it is possible to switch off this ability if desired. Users who want to be certain they are receiving Background Security Updates should navigate to the Privacy and Security menu in their device settings and make sure the option to Automatically Install is toggled on, otherwise they will end up waiting for the next software update.
Note that, according to Apple, if a user chooses to remove a Background Security Update, their device will revert to the baseline operating system minus any recent fixes.
