HIGHCVE-2026-35643Published 2026-04-10Modified 2026-04-14CNA VulnCheck

CVE-2026-35643: OpenClaw < 2026.3.22 - Arbitrary Code Execution via Unvalidated WebView JavascriptInterface

OpenClaw before 2026.3.22 contains an unvalidated WebView JavascriptInterface vulnerability allowing attackers to inject arbitrary instructions. Untrusted pages can invoke the canvas bridge to execute malicious code within the Android application context.

CVSS v4.0: 8.6
Severity: HIGH
Fixed in: 2026.3.22
Affected Products: 1

Fix available

2026.3.22

Patch commits

Patch Commit #1
Patch Commit #2

Affected packages

OpenClaw / OpenClaw
< 2026.3.22 (from 0)
Fixed in 2026.3.22

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

GitHub Security Advisory (GHSA-cxmw-p77q-wchg)
Patch Commit #1
Patch Commit #2
VulnCheck Advisory: OpenClaw < 2026.3.22 - Arbitrary Code Execution via Unvalidated WebView JavascriptInterface

Metrics

Fix available