CVE-2026-15193
Received Received - Intake

Command Injection in OpenClaw Android WebView Bridge

Vulnerability report for CVE-2026-15193, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: VulDB

Description

A vulnerability was determined in AidanPark openclaw-android up to 0.4.0. The affected element is an unknown function of the file android/app/src/main/java/com/openclaw/android/JsBridge.kt of the component Android WebView Bridge. This manipulation causes os command injection. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The pull request to fix this issue awaits acceptance.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
aidanpark openclaw-android to 0.4.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability allows an attacker with local access to the WebView JavaScript environment to execute arbitrary shell commands on the device within the app's runtime context. This can lead to unauthorized file manipulation, execution of malicious scripts, or further compromise of the device or app environment.

Because the attack requires local access and JavaScript execution in the WebView, the risk is somewhat limited but still significant for users who might be exposed to malicious WebView content or compromised assets.

Executive Summary

CVE-2026-15193 is a vulnerability in the openclaw-android project affecting the Android WebView Bridge component. Specifically, an unrestricted JavaScript bridge in the WebView allows local attackers to execute arbitrary shell commands. The vulnerability exists because the app exposes native bridge methods that accept JavaScript-controlled command strings and pass them directly to a shell runner without validation or sanitization. This enables an attacker with local access to the WebView's JavaScript context to perform OS command injection.

The vulnerability arises from the methods `runCommand` and `runCommandAsync` in the WebView's JavaScript bridge, which execute shell commands via `sh -c` using untrusted input. Exploitation requires JavaScript execution within the WebView, which could happen through compromised assets, cross-site scripting-like bugs, or supply chain attacks.

Detection Guidance

This vulnerability involves arbitrary shell command execution via an unrestricted JavaScript bridge in the OpenClaw Android app's WebView component. Detection involves identifying if the vulnerable app version is installed and if the exposed native bridge methods `runCommand` or `runCommandAsync` are accessible.

Since the attack can only be executed locally and requires JavaScript execution within the WebView, network detection is limited. Instead, detection should focus on inspecting the app environment and runtime behavior.

  • Check if the openclaw-android app version is up to 0.4.0, which is vulnerable.
  • Use Android debugging tools (adb) to inspect the app's WebView and JavaScript bridge exposure.
  • Run commands to detect the presence of the exposed bridge methods, for example, using adb shell to check the app's process and inspect loaded WebView components.
  • Monitor for suspicious shell command executions originating from the app's runtime context.

Specific commands are not provided in the resources, but typical approaches include using adb to inspect the app and its WebView, and searching for the presence of the `window.OpenClaw` bridge or attempts to execute shell commands via the app.

Compliance Impact

The vulnerability allows arbitrary shell command execution via an unrestricted WebView JavaScript bridge, which could lead to unauthorized local access and manipulation of data within the affected application environment.

Such unauthorized access and potential data manipulation could impact compliance with standards like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and access.

Because the exploit can be executed locally and may allow attackers to execute arbitrary commands, it increases the risk of data breaches or unauthorized data processing, which are critical compliance concerns under these regulations.

However, the provided information does not explicitly detail the direct compliance impact or specific regulatory violations.

Mitigation Strategies

Immediate mitigation steps focus on restricting or removing the vulnerable WebView JavaScript bridge to prevent arbitrary shell command execution.

  • Update the openclaw-android app to a version that includes the fix from the pending pull request which restricts WebView command bridge usage.
  • Apply the patch that replaces WebView-controlled shell command strings with native-side allowlisted command IDs, preventing arbitrary shell command execution.
  • Disable or restrict JavaScript execution in the WebView if possible, or disable file URL access to reduce attack surface.
  • Remove or restrict the `runCommand` and `runCommandAsync` bridge methods to avoid passing unchecked commands to the shell.
  • Validate and sanitize any inputs that could reach shell execution paths.

Since the fix is awaiting acceptance, manual patching or disabling the vulnerable features is recommended until an official update is released.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15193. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart