CVE-2026-35643

HIGH

OpenClaw before 2026.3.22 contains an unvalidated WebView JavascriptInterface vulnerability allowing attackers to inject arbitrary instructions. Untrusted pages can invoke the canvas bridge to execute malicious code within the Android application context.

CVSS v3.1 Score

8.8
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
NETWORK
Complexity
LOW
Privileges
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Published: 4/10/2026Modified: 4/13/2026

Related Intelligence (1)

HIGHVulnerability

NVD HIGH: CVE-2026-35643 — OpenClaw before 2026.3.22 contains an unvalidated WebView JavascriptInterface vu...

OpenClaw before 2026.3.22 contains an unvalidated WebView JavascriptInterface vulnerability allowing attackers to inject arbitrary instructions. Untrusted pages can invoke the canvas bridge to execute malicious code within the Android application context.

CVE-2026-35643
NIST NVD

References (4)

https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87Patchhttps://github.com/openclaw/openclaw/commit/8b02ef133275be96d8aac2283100016c8a7f32e5Patchhttps://github.com/openclaw/openclaw/security/advisories/GHSA-cxmw-p77q-wchgVendor Advisoryhttps://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-unvalidated-webview-javascriptinterfaceThird Party Advisory