GHSA-cxmw-p77q-wchg | Mondoo Vulnerability Intelligence

GHSA-cxmw-p77q-wchg

HIGH8.8

OpenClaw: Arbitrary code execution via unvalidated WebView JavascriptInterface

Published Mar 26, 2026

Modified 2 weeks ago

Fix available

Details

Summary

Android Canvas WebView pages from untrusted origins could invoke the JavascriptInterface bridge and inject instructions into the app.

Affected Packages / Versions

Package: openclaw (npm)
Affected: < 2026.3.22
Fixed: >= 2026.3.22
Latest released tag checked: v2026.3.23-2 (630f1479c44f78484dfa21bb407cbe6f171dac87)
Latest published npm version checked: 2026.3.23-2

Fix Commit(s)

8b02ef133275be96d8aac2283100016c8a7f32e5

Release Status

The fix shipped in v2026.3.22 and remains present in v2026.3.23 and v2026.3.23-2.

Code-Level Confirmation

apps/android/app/src/main/java/ai/openclaw/app/ui/CanvasScreen.kt now snapshots page origin and rejects untrusted bridge calls.
apps/android/app/src/main/java/ai/openclaw/app/node/CanvasActionTrust.kt centralizes trusted origin and path validation for the bridge.

OpenClaw thanks @cyjhhh for reporting.

Affected Packages

openclaw

npm

Fixed in:

2026.3.22

References

https://github.com/advisories/GHSA-cxmw-p77q-wchg

https://github.com/openclaw/openclaw

https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87

https://github.com/openclaw/openclaw/commit/8b02ef133275be96d8aac2283100016c8a7f32e5

https://github.com/openclaw/openclaw/security/advisories/GHSA-cxmw-p77q-wchg

https://nvd.nist.gov/vuln/detail/CVE-2026-35643

https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-unvalidated-webview-javascriptinterface

Aliases

CVSS Analysis

CVSS v4.0

8.6

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Attack Requirements

NoneAT:N

Privileges Required

NonePR:N

User Interaction

ActiveUI:A

Vulnerable System

Vuln. Confidentiality

HighVC:H

Vuln. Integrity

HighVI:H

Vuln. Availability

HighVA:H

Subsequent System

Subseq. Confidentiality

NoneSC:N

Subseq. Integrity

NoneSI:N

Subseq. Availability

NoneSA:N

8.6/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Related

Ecosystems

Timeline

PublishedMar 26, 2026

ModifiedApr 10, 2026