CVE-2026-35643
JavascriptInterface Injection in OpenClaw WebView Enables Code Execution
Publication date: 2026-04-10
Last updated on: 2026-04-13
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.22 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-940 | The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenClaw versions before 2026.3.22 and involves an unvalidated WebView JavascriptInterface. It allows attackers to inject arbitrary instructions by exploiting the canvas bridge, enabling untrusted web pages to execute malicious code within the Android application context.
How can this vulnerability impact me? :
The vulnerability can lead to execution of malicious code within the Android application, potentially compromising the security and integrity of the app and the device it runs on. This could result in unauthorized actions, data theft, or other harmful impacts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in OpenClaw allows attackers to inject and execute arbitrary code within the Android application context by exploiting an unvalidated WebView JavascriptInterface. This can lead to unauthorized access and manipulation of sensitive data handled by the application.
Such unauthorized code execution and potential data compromise could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and access.
Because the vulnerability enables remote attackers to execute code without privileges or user interaction beyond initial UI access, it poses a high risk to the security controls mandated by these regulations.
However, the provided context and resources do not explicitly discuss compliance implications or specific regulatory impacts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves untrusted web pages invoking the Android canvas bridge via a WebView JavascriptInterface without proper origin validation. Detection would involve monitoring or inspecting WebView interactions to identify calls to the canvas bridge from untrusted or unexpected origins.
Since the vulnerability is specific to the OpenClaw Android package prior to version 2026.3.22, detection can include verifying the installed OpenClaw version on your system or device.
There are no explicit commands provided in the available resources to detect exploitation attempts or presence of the vulnerability on a network or system.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade OpenClaw to version 2026.3.22 or later, where the vulnerability has been fixed.
The fix involves gating the Android canvas bridge to only allow communication from trusted pages by validating the source URL of bridge messages before processing them.
- Update the OpenClaw Android package to version 2026.3.22 or newer.
- Ensure that the application uses the patched code that rejects bridge calls from untrusted origins, as implemented in the files `CanvasScreen.kt` and `CanvasActionTrust.kt`.
- Avoid loading untrusted or external web content into the WebView that interacts with the canvas bridge.