PoC Exploit Publicly Disclosed: Apple Deploys First-Ever Background Security Patch for Cross-Origin Flaw

Apple has broken new ground in its defensive strategy, utilizing a “Background Security Improvements” feature to deliver an out-of-band fix for a significant cross-origin vulnerability. The flaw, tracked as CVE-2026-20643, resides in the Navigation API and allows malicious web content to bypass the browser’s fundamental Same-Origin Policy.

This marks the first time Apple has pushed a security fix through this specialized mechanism, which is designed to deliver small, critical patches outside the traditional iOS and macOS update cycles.

In a significant development for security researchers and administrators, the full technical details of the vulnerability have been laid bare. Most importantly, the proof-of-concept (PoC) exploit code has been publicly disclosed on GitHub, providing a clear look at how the flaw can be weaponized.

The public availability of this code underscores the urgency for users to ensure their devices have received the background update, as the barrier to entry for potential attackers has been significantly lowered.

The vulnerability centers on the MapsEvent.canIntercept function within the Navigation API. In a secure environment, this “gate” should only allow a page to intercept navigations that share the exact same origin—meaning the scheme, host, and port must all match.

However, researchers discovered that the API was only performing a “same-site” check without verifying the specific port.

“NavigateEvent.canIntercept incorrectly returns true for same-site, cross-port navigations that differ in origin. The interception gate accepts any HTTP-family target after a same-site check without verifying that scheme, host, and port all match”.

This oversight allowed “cross-port navigations (e.g., :8000 → :8800)” to slip through the security boundary. By bypassing these origin protections, an attacker-controlled page could intercept or suppress navigations that should have been strictly isolated.

The practical abuse of CVE-2026-20643 involves “navigation flow manipulation and confusion across origin boundaries”. Because an attacker can gain interception capabilities where they should be denied, they can effectively hijack the user’s journey between different web services, even if those services are hosted on the same site.

Apple’s fix involves implementing strict per-component equality checks for the scheme, user, password, host, and port before any interception is allowed. This improved input validation ensures that the origin boundary remains intact.

The fix is being delivered to the following platforms via Background Security Improvements:

• iOS 26.3.1
• iPadOS 26.3.1
• macOS 26.3.1 and 26.3.2

Users do not typically need to take manual action to receive these background patches, but they are encouraged to verify that their systems are running the latest supported versions.