On March 17, 2026, Apple released the first security update applied in the background for iOS, iPadOS and macOS. iOS 26.3.1 (a), iPadOS 26.3.1 (a) and macOS equivalents resolve a vulnerability in the WebKit engine that allowed bypassing the same origin policy. Usuários with compatible devices from iOS 26.1 receive the fix automatically and silently when the feature is enabled in settings.
The flaw identified as CVE-2026-20643 affected the processing of web content in Safari, the Mail app and other applications that use WebKit. Malicious Conteúdo could access data from different domains without authorization. Apple has applied stricter validation on the Navigation API to block this exploit.
How to enable automatic update installation
- Go to Ajustes on your iPhone or iPad.
- Tap Privacidade and Segurança.
- Select Melhorias Background Security.
- Activate the Instalar option automatically.
After activation, the system checks and installs lightweight patches without user intervention. The process takes place in the background and does not require a device restart.
Technical details of the patched vulnerability
The same origin policy mechanism prevents scripts from one site from accessing or manipulating resources from another domain. With the bypass, an attacker could exploit active sessions in different tabs, such as email accounts or banking applications. Researcher Thomas Espach reported the issue directly to Apple.
The correction was implemented on an ongoing basis to reduce the exposure period. Dispositivos updated to iOS 26.3.1 or higher are protected against this specific flaw.
New feature introduced by Apple
The background security improvements feature debuted with iOS 26.1. Ela enables rapid deliveries of minor fixes to critical components such as WebKit and system libraries. Diferente of traditional updates, these improvements do not appear in the Atualização section of Software and are installed silently.
Apple plans to use this mechanism to respond more quickly to threats identified between major system releases. Usuários must keep the feature enabled to receive continued protection.
Practical guidelines for iPhone owners
Periodically check the Privacidade and Segurança section to confirm whether new improvements have been applied. Mantenha iOS updated to fully support the feature. Apple did not record evidence of active exploitation of this vulnerability prior to the release of the patch.