Skip to main content

Mondoo

Vulnerability Management
Technology
Services

Solutions

Financial Services
Manufacturing
Healthcare

Resources

Blog
Vulnerability Database
Documentation
GitHub

Company

About
Careers
Partners
Contact

Legal

Privacy
Terms
Imprint

© 2026 Mondoo, Inc.

Log in Get Assessment

GHSA-cxmw-p77q-wchg | Mondoo Vulnerability Intelligence

Vulnerability IntelligenceGHSA-cxmw-p77q-wchg

GHSA-cxmw-p77q-wchg

HIGH7.1

OpenClaw: Arbitrary code execution via unvalidated WebView JavascriptInterface

Published Mar 26, 2026

Modified 2 weeks ago

Fix available

Details

Summary

Android Canvas WebView pages from untrusted origins could invoke the JavascriptInterface bridge and inject instructions into the app.

Affected Packages / Versions

Package: openclaw (npm)
Affected: < 2026.3.22
Fixed: >= 2026.3.22
Latest released tag checked: v2026.3.23-2 (630f1479c44f78484dfa21bb407cbe6f171dac87)
Latest published npm version checked: 2026.3.23-2

Fix Commit(s)

8b02ef133275be96d8aac2283100016c8a7f32e5

Release Status

The fix shipped in v2026.3.22 and remains present in v2026.3.23 and v2026.3.23-2.

Code-Level Confirmation

apps/android/app/src/main/java/ai/openclaw/app/ui/CanvasScreen.kt now snapshots page origin and rejects untrusted bridge calls.
apps/android/app/src/main/java/ai/openclaw/app/node/CanvasActionTrust.kt centralizes trusted origin and path validation for the bridge.

OpenClaw thanks @cyjhhh for reporting.

Affected Packages

openclaw

npm

Fixed in:

2026.3.22

References

https://github.com/advisories/GHSA-cxmw-p77q-wchg

https://github.com/openclaw/openclaw

https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87

https://github.com/openclaw/openclaw/security/advisories/GHSA-cxmw-p77q-wchg

CVSS Analysis

CVSS v4.0

7.1

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Attack Requirements

NoneAT:N

Privileges Required

NonePR:N

User Interaction

PassiveUI:P

Vulnerable System

Vuln. Confidentiality

NoneVC:N

Vuln. Integrity

HighVI:H

Vuln. Availability

NoneVA:N

Subsequent System

Subseq. Confidentiality

NoneSC:N

Subseq. Integrity

NoneSI:N

Subseq. Availability

NoneSA:N

7.1/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Ecosystems

Timeline

PublishedMar 26, 2026

ModifiedMar 26, 2026