Share
## https://sploitus.com/exploit?id=B773E027-1E57-5331-9D05-E6AB6E754E32
# WebKit-NavigationAPI-SOP-Bypass
**WebKit Navigation API โ Same-Origin Policy bypass via cross-port interception (CVE-2026-20643)**
| | |
|---|---|
| **CVE** | CVE-2026-20643 |
| **Component** | WebKit โ `WebCore::Navigation::innerDispatchNavigateEvent` |
| **Affected** | iOS 26.3.1 build `23D8133` (`iPhone18,2`) |
| **Class** | SOP bypass |
| **Interaction** | Click / link activation |
## Summary
`NavigateEvent.canIntercept` incorrectly returns `true` for same-site, cross-port navigations that differ in origin. The interception gate accepts any HTTP-family target after a same-site check without verifying that scheme, host, and **port** all match. This lets an attacker-controlled page intercept or suppress navigations that should cross an origin boundary.
## Root Cause
```cpp
// WebCore::Navigation::innerDispatchNavigateEvent โ 0x1a1303304 (iOS 26.3.1 / 23D8133)
if (!isSameSite && !isSameOrigin)
return false;
if (targetURL.protocolIsInHTTPFamily())
return true; // โ no port/host/scheme component equality check
// cross-port navigations (e.g. :8000 โ :8800) slip through
```
The WebKit mainline fix adds strict per-component equality (scheme / user / password / host / **port**) before allowing interception.
## PoC
Serve `poc_min.html` on port `8000` and open it on an affected device:
```sh
python3 -m http.server 8000
# http://127.0.0.1:8000/poc_min.html
```
Click **Run PoC**. The page triggers a cross-port navigation (`:8000` โ `:8800`) and reports:
```
Vulnerable: canIntercept=true
Patched: canIntercept=false
```
## Files
| File | |
|---|---|
| [`findings.md`](findings.md) | Full root cause write-up and RE evidence |
| [`poc_min.html`](poc_min.html) | Self-contained detection PoC |