OpenClaw < 2026.3.22 - Arbitrary Code Execution via Unvalidated WebView...

8.6 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

OpenClaw before 2026.3.22 contains an unvalidated WebView JavascriptInterface vulnerability allowing attackers to inject arbitrary instructions. Untrusted pages can invoke the canvas bridge to execute malicious code within the Android application context.

AI Analysis

Arbitrary code execution via unvalidated WebView JavascriptInterface in OpenClaw before 2026.3.22

Basic Information

ID CVE-2026-35643

Source VulnCheck

Published Apr 10, 2026 at 16:03

Affected Product

Vendor OpenClaw

Product OpenClaw

Affected Versions OpenClaw OpenClaw 0

CWE Classification

CWE-940

AI Assessment

AI Score 8.6 / 10

AI Severity High

Vendor OpenClaw

Product OpenClaw

Version < 2026.3.22

References

{
    "lastseen": "",
    "description": "OpenClaw before 2026.3.22 contains an unvalidated WebView JavascriptInterface vulnerability allowing attackers to inject arbitrary instructions. Untrusted pages can invoke the canvas bridge to execute malicious code within the Android application context.",
    "published": "2026-04-10T16:03:11.209Z",
    "modified": "2026-04-10T16:03:11.209Z",
    "type": "cve",
    "title": "OpenClaw < 2026.3.22 - Arbitrary Code Execution via Unvalidated WebView JavascriptInterface",
    "source": "VulnCheck",
    "references": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cxmw-p77q-wchg\nhttps://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87\nhttps://github.com/openclaw/openclaw/commit/8b02ef133275be96d8aac2283100016c8a7f32e5\nhttps://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-unvalidated-webview-javascriptinterface",
    "id": "CVE-2026-35643",
    "bulletinFamily": "",
    "cwe": [
        "CWE-940"
    ],
    "cvelist": null,
    "sourceData": "OpenClaw OpenClaw 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "OpenClaw",
    "version": "0",
    "vendor": "OpenClaw",
    "ai_description": "Arbitrary code execution via unvalidated WebView JavascriptInterface in OpenClaw before 2026.3.22",
    "ai_severity": "High",
    "ai_vendor": "OpenClaw",
    "ai_product": "OpenClaw",
    "ai_version": "< 2026.3.22",
    "ai_score": 8.6
}

OpenClaw < 2026.3.22 - Arbitrary Code Execution via Unvalidated WebView JavascriptInterface_CVE-2026-35643