CVE-2026-20643

MEDIUM

macOS < 26.3.2 - Same Origin Policy Bypass via Navigation API

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-20643. PoCs published by Fliv, zeroxjf.

AI-analyzed exploit summary This repository contains a test harness and references for CVE-2026-20643, a WebKit vulnerability. It includes a link to the patch diff and a blog post but lacks functional exploit code.

Description

A cross-origin issue in the Navigation API was addressed with improved input validation. This issue is fixed in Background Security Improvements for iOS, iPadOS, and macOS, Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. Processing maliciously crafted web content may bypass Same Origin Policy.

Exploits (2)

nomisec WRITEUP

by Fliv · poc

https://github.com/Fliv/CVE-2026-20643

View Code ZIP pw:eip

This repository contains a test harness and references for CVE-2026-20643, a WebKit vulnerability. It includes a link to the patch diff and a blog post but lacks functional exploit code.

Classification

Writeup 90%

Attack Type

Other

Complexity

Moderate

Reliability

Theoretical

Target: WebKit (version not specified)

No auth needed

Prerequisites: WebKit-based browser · access to vulnerable WebKit version

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Mar 20, 2026 Full analysis →

nomisec WRITEUP

by zeroxjf · poc

https://github.com/zeroxjf/WebKit-NavigationAPI-SOP-Bypass

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2026-20643, a Same-Origin Policy bypass in WebKit's Navigation API due to incorrect handling of cross-port navigations. It includes root cause analysis, binary diff evidence, and a proof-of-concept for detection.

Classification

Writeup 100%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: WebKit (iOS 26.3.1 build 23D8133)

No auth needed

Prerequisites: Same-site but cross-origin navigation (e.g., cross-port localhost)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Mar 18, 2026 Full analysis →

References (7)

Core 7

Core References

https://support.apple.com/en-us/126604

Mailing List

http://seclists.org/fulldisclosure/2026/Mar/10

https://support.apple.com/en-us/126792

https://support.apple.com/en-us/126793

https://support.apple.com/en-us/126794

https://support.apple.com/en-us/126799

https://support.apple.com/en-us/126800

Scores

CVSS v3 5.4

EPSS 0.0035

EPSS Percentile 27.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-20 CWE-346

Status published

Products (15)

Apple/iOS unspecified - 26.3.1 (a)

Apple/iOS and iPadOS < 18.7.7

Apple/iOS and iPadOS < 26.3.1 (a)

Apple/iOS and iPadOS < 26.4

apple/ipados < 26.3.1

Apple/iPadOS unspecified - 26.3.1 (a)

apple/iphone_os < 26.3.1

apple/macos < 26.3.1

Apple/macOS < 26.3.1 (a)

Apple/macOS < 26.3.2 (a)

... and 5 more

Published Mar 17, 2026

Tracked Since Mar 18, 2026