Description
A cross-origin issue in the Navigation API was addressed with improved input validation. This issue is fixed in Background Security Improvements for iOS, iPadOS, and macOS, Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. Processing maliciously crafted web content may bypass Same Origin Policy.
Published: 2026-03-17
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Same Origin Policy Bypass
Action: Patch Immediately
AI Analysis

Impact

A flaw in Apple’s Navigation API allows a maliciously crafted webpage to bypass the browser’s Same‑Origin Policy. The problem is rooted in insufficient input validation (CWE‑20) and can permit an attacker to read or manipulate data from other origins that the user should not have access to. The vulnerability does not provide direct code execution but can undermine data confidentiality and integrity across domains.

Affected Systems

Apple’s Safari browser, iOS, iPadOS, macOS, and visionOS are affected when running a version prior to the Background Security Improvements that released Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, and visionOS 26.4. Any device still on an earlier revision remains vulnerable until the corresponding update is installed.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. With an EPSS score below 1% and no listing in the CISA KEV catalog, public exploitation today is unlikely, but the vulnerability could be leveraged by an attacker who lures a user to a malicious site that abuses the Navigation API. The attack vector is therefore likely to be phishing or malicious webpages that a victim visits. Because the flaw is an input‑validation issue rather than a privilege‑escalation or remote‑code‑execution flaw, the impact is limited to cross‑origin data access or navigation manipulation.

Generated by OpenCVE AI on March 25, 2026 at 04:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Safari and all affected Apple operating systems to the latest available release (Safari 26.4 or later, iOS 18.7.7+, iPadOS 18.7.7+, macOS Tahoe 26.4+, visionOS 26.4+).
  • If an immediate upgrade is not possible, use a content blocker or a trusted‑site whitelist to restrict the user’s exposure to known malicious webpages.
  • Monitor Apple’s security advisories and verify that the operating‑system update has been successfully applied.

Generated by OpenCVE AI on March 25, 2026 at 04:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Cross‑origin Bypass in Apple Safari Navigation API webkitgtk: Processing maliciously crafted web content may bypass Same Origin Policy
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Title Cross‑origin Bypass in Apple Safari Navigation API

Wed, 25 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description A cross-origin issue in the Navigation API was addressed with improved input validation. This issue is fixed in Background Security Improvements for iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2. Processing maliciously crafted web content may bypass Same Origin Policy. A cross-origin issue in the Navigation API was addressed with improved input validation. This issue is fixed in Background Security Improvements for iOS, iPadOS, and macOS, Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. Processing maliciously crafted web content may bypass Same Origin Policy.
References

Thu, 19 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
References

Wed, 18 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple iphone Os
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
Vendors & Products Apple iphone Os

Wed, 18 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-346
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios
Apple ipados
Apple macos
Vendors & Products Apple
Apple ios
Apple ipados
Apple macos

Tue, 17 Mar 2026 22:45:00 +0000

Type Values Removed Values Added
Description A cross-origin issue in the Navigation API was addressed with improved input validation. This issue is fixed in Background Security Improvements for iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2. Processing maliciously crafted web content may bypass Same Origin Policy.
References

Subscriptions

Apple Ios Ipados Iphone Os Macos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:19:47.831Z

Reserved: 2025-11-11T14:43:07.862Z

Link: CVE-2026-20643

cve-icon Vulnrichment

Updated: 2026-03-19T16:18:46.731Z

cve-icon NVD

Status : Modified

Published: 2026-03-17T23:16:17.193

Modified: 2026-03-25T01:17:04.543

Link: CVE-2026-20643

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-28T20:00:00Z

Links: CVE-2026-20643 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:52:57Z

Weaknesses