CVE-2026-47430
Awaiting Analysis Awaiting Analysis - Queue
Cordova Plugin InAppBrowser Callback ID Spoofing

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: Apache Software Foundation

Description
## Summary The iOS implementation of `cordova-plugin-inappbrowser` passes the `id` field from a `WKScriptMessage` body to `commandDelegate sendPluginResult:callbackId:` with no format validation (`CDVWKInAppBrowser.m:560–574`). Any web content loaded inside the InAppBrowser can fire any pending Cordova callback in the host app by posting a message whose `id` field is a guessable or enumerated callback identifier. An attack abusing this weakness must be tailored to the specific plugins and callback IDs the host app uses. Though an attacker with knowledge of common Cordova plugin configurations could craft reusable payloads targeting widely-adopted plugins. ## Impact An unauthenticated remote attacker who controls content displayed in the InAppBrowser β€” via a URL the app opens (OAuth redirect, marketing link, deep-link target) or a network interception β€” can call `window.webkit.messageHandlers.cordova_iab.postMessage({id: '<victim-callback-id>', d: '...'})` to fire callbacks belonging to any other installed Cordova plugin (Camera, Contacts, File, Geolocation). Cordova callback IDs follow the predictable format `<PluginName><sequential-integer>`, making enumeration feasible. Successful exploitation allows the attacker to spoof plugin results across trust boundaries β€” for example, injecting a forged camera approval, a fabricated contacts list, or a crafted file-read response. This issue affects Cordova Plugin InAppBrowser: from 3.1.0 through 6.0.0. Users are recommended to upgrade to version 6.0.1, which fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-08
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-47430
EUVD
EUVD-2026-35041
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
apache cordova_plugin_inappbrowser From 3.1.0 (inc) to 6.0.0 (inc)
apache cordova_plugin_inappbrowser 6.0.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the iOS implementation of the Cordova Plugin InAppBrowser versions 3.1.0 through 6.0.0. It occurs because the plugin passes the 'id' field from a WKScriptMessage body to the commandDelegate's sendPluginResult:callbackId: method without validating its format.

This lack of validation allows any web content loaded inside the InAppBrowser to trigger any pending Cordova callback in the host app by posting a message with a guessed or enumerated callback identifier. Since Cordova callback IDs follow a predictable format (such as <PluginName><sequential-integer>), attackers can craft payloads targeting common plugins like Camera, Contacts, File, or Geolocation.

In essence, an attacker controlling the web content displayed in the InAppBrowser can abuse this weakness to fire arbitrary callbacks within the host app.

Impact Analysis

An unauthenticated remote attacker who controls content displayed in the InAppBrowser can exploit this vulnerability to invoke arbitrary Cordova plugin callbacks in the host app.

This can lead to spoofed plugin results crossing trust boundaries, such as injecting fake camera approvals, fabricated contacts lists, or crafted file-read responses.

Such impacts can compromise the integrity and trustworthiness of app data and user interactions with device features.

Mitigation Strategies

The recommended immediate step to mitigate this vulnerability is to upgrade the Cordova Plugin InAppBrowser on iOS to version 6.0.1, which contains the fix for this issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47430. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart