CVE-2026-35643
Received Received - Intake
JavascriptInterface Injection in OpenClaw WebView Enables Code Execution

Publication date: 2026-04-10

Last updated on: 2026-04-13

Assigner: VulnCheck

Description
OpenClaw before 2026.3.22 contains an unvalidated WebView JavascriptInterface vulnerability allowing attackers to inject arbitrary instructions. Untrusted pages can invoke the canvas bridge to execute malicious code within the Android application context.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-14
NVD
CVE-2026-35643
EUVD
EUVD-2026-21438
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.3.22 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-940 The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenClaw versions before 2026.3.22 and involves an unvalidated WebView JavascriptInterface. It allows attackers to inject arbitrary instructions by exploiting the canvas bridge, enabling untrusted web pages to execute malicious code within the Android application context.

Impact Analysis

The vulnerability can lead to execution of malicious code within the Android application, potentially compromising the security and integrity of the app and the device it runs on. This could result in unauthorized actions, data theft, or other harmful impacts.

Compliance Impact

The vulnerability in OpenClaw allows attackers to inject and execute arbitrary code within the Android application context by exploiting an unvalidated WebView JavascriptInterface. This can lead to unauthorized access and manipulation of sensitive data handled by the application.

Such unauthorized code execution and potential data compromise could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and access.

Because the vulnerability enables remote attackers to execute code without privileges or user interaction beyond initial UI access, it poses a high risk to the security controls mandated by these regulations.

However, the provided context and resources do not explicitly discuss compliance implications or specific regulatory impacts.

Detection Guidance

This vulnerability involves untrusted web pages invoking the Android canvas bridge via a WebView JavascriptInterface without proper origin validation. Detection would involve monitoring or inspecting WebView interactions to identify calls to the canvas bridge from untrusted or unexpected origins.

Since the vulnerability is specific to the OpenClaw Android package prior to version 2026.3.22, detection can include verifying the installed OpenClaw version on your system or device.

There are no explicit commands provided in the available resources to detect exploitation attempts or presence of the vulnerability on a network or system.

Mitigation Strategies

The primary mitigation is to upgrade OpenClaw to version 2026.3.22 or later, where the vulnerability has been fixed.

The fix involves gating the Android canvas bridge to only allow communication from trusted pages by validating the source URL of bridge messages before processing them.

  • Update the OpenClaw Android package to version 2026.3.22 or newer.
  • Ensure that the application uses the patched code that rejects bridge calls from untrusted origins, as implemented in the files `CanvasScreen.kt` and `CanvasActionTrust.kt`.
  • Avoid loading untrusted or external web content into the WebView that interacts with the canvas bridge.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35643. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart