CVE-2026-20643
Cross-Origin Bypass in Apple Navigation API Enables Data Exposure
Publication date: 2026-03-17
Last updated on: 2026-03-25
Assigner: Apple Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apple | ipados | to 26.3.1 (exc) |
| apple | iphone_os | to 26.3.1 (exc) |
| apple | macos | to 26.3.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-346 | The product does not properly verify that the source of data or communication is valid. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a cross-origin issue in the Navigation API where maliciously crafted web content can bypass the Same Origin Policy. The Same Origin Policy is a security measure that restricts how documents or scripts loaded from one origin can interact with resources from another origin. The issue was addressed by improving input validation in the affected systems.
How can this vulnerability impact me? :
Because this vulnerability allows bypassing the Same Origin Policy, an attacker could potentially access or manipulate data from another origin without proper authorization. This could lead to unauthorized data exposure or manipulation when processing malicious web content.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update your Apple devices to the fixed versions: Background Security Improvements for iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, or macOS 26.3.2.