How is CVE-2026-47430 exploited?

Network reachability (required): The attacker must be able to reach the device over the network, either by controlling a URL the app opens (such as an OAuth redirect or deep-link target) or by intercepting network traffic to inject malicious content into the InAppBrowser WebView. Authentication (not-required): No credentials or account are needed; any web content rendered inside the InAppBrowser can post the malicious message without authenticating to the host app. Victim interaction (not-required): No user action beyond the app's normal operation of opening a URL in the InAppBrowser is needed; the attacker's payload executes as part of page load or script execution inside the WebView. Attack complexity (info): Attack complexity is high because the attacker must know or enumerate valid Cordova callback IDs and tailor the payload to the specific plugins and timing of pending callbacks in the host app, though the predictable callback ID format (PluginName plus a sequential integer) makes enumeration feasible.

What is the impact of CVE-2026-47430?

The attacker can inject forged plugin results, such as a fabricated camera approval or a spoofed contacts list, into the host app's Cordova plugin dispatch pipeline. The attacker can feed crafted file-read or geolocation responses to any plugin awaiting a pending callback, causing the app to act on attacker-controlled data. Confidentiality is fully compromised at both the app and system scope: the attacker can extract data returned by camera, contacts, file, and geolocation plugins. Integrity of app state is fully compromised at both the app and system scope: the attacker can manipulate any decision or data flow that depends on plugin callback results.

Back to search

CRITICALCVE-2026-47430Published 2026-06-08Modified 2026-06-08CNA apache

CVE-2026-47430: Cordova Plugin InAppBrowser: iOS: Arbitrary Cordova callback IDs can be dispatched without validation from InAppBrowser WebViews

## Summary The iOS implementation of `cordova-plugin-inappbrowser` passes the `id` field from a `WKScriptMessage` body to `commandDelegate sendPluginResult:callbackId:` with no format validation (`CDVWKInAppBrowser.m:560–574`). Any web content loaded inside the InAppBrowser can fire any pending Cordova callback in the host app by posting a message whose `id` field is a guessable or enumerated callback identifier. An attack abusing this weakness must be tailored to the specific plugins and callback IDs the host app uses. Though an attacker with knowledge of common Cordova plugin configurations could craft reusable payloads targeting widely-adopted plugins. ## Impact An unauthenticated remote attacker who controls content displayed in the InAppBrowser — via a URL the app opens (OAuth redirect, marketing link, deep-link target) or a network interception — can call `window.webkit.messageHandlers.cordova_iab.postMessage({id: '<victim-callback-id>', d: '...'})` to fire callbacks belonging to any other installed Cordova plugin (Camera, Contacts, File, Geolocation). Cordova callback IDs follow the predictable format `<PluginName><sequential-integer>`, making enumeration feasible. Successful exploitation allows the attacker to spoof plugin results across trust boundaries — for example, injecting a forged camera approval, a fabricated contacts list, or a crafted file-read response. This issue affects Cordova Plugin InAppBrowser: from 3.1.0 through 6.0.0. Users are recommended to upgrade to version 6.0.1, which fixes the issue.

CVSS v4.0: 9.5
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an insufficient input validation vulnerability in the iOS implementation of Apache Cordova Plugin InAppBrowser (versions 3.1.0 through 6.0.0). A remote attacker who controls content loaded inside an InAppBrowser WebView can reach the host app over the network with no authentication required, because the plugin passes the message 'id' field directly to the Cordova callback dispatcher without any format check. Successful exploitation lets the attacker fire arbitrary Cordova plugin callbacks in the host app, spoofing results from plugins such as Camera, Contacts, File, and Geolocation across trust boundaries. No fix version has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-47430 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built Cordova iOS app container images. Coverage extends to images built internally by customer teams, not only images pulled from public registries.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v4.0 severity of 9.5 (Critical) and applying per-environment compliance policy weighting to prioritize alerting. Triage routing is available to direct the finding to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available at the fix version the moment the upstream project ships one. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be initiated automatically once a fix is released.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the device over the network, either by controlling a URL the app opens (such as an OAuth redirect or deep-link target) or by intercepting network traffic to inject malicious content into the InAppBrowser WebView.
AuthenticationNot required
No credentials or account are needed; any web content rendered inside the InAppBrowser can post the malicious message without authenticating to the host app.
Victim interactionNot required
No user action beyond the app's normal operation of opening a URL in the InAppBrowser is needed; the attacker's payload executes as part of page load or script execution inside the WebView.
Attack complexityDetail
Attack complexity is high because the attacker must know or enumerate valid Cordova callback IDs and tailor the payload to the specific plugins and timing of pending callbacks in the host app, though the predictable callback ID format (PluginName plus a sequential integer) makes enumeration feasible.

Blast Radius

The attacker can inject forged plugin results, such as a fabricated camera approval or a spoofed contacts list, into the host app's Cordova plugin dispatch pipeline.
The attacker can feed crafted file-read or geolocation responses to any plugin awaiting a pending callback, causing the app to act on attacker-controlled data.
Confidentiality is fully compromised at both the app and system scope: the attacker can extract data returned by camera, contacts, file, and geolocation plugins.
Integrity of app state is fully compromised at both the app and system scope: the attacker can manipulate any decision or data flow that depends on plugin callback results.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-47430, HarborGuard monitors the Apache advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment version 6.0.1 or a later fix release is published. In the interim, compensating controls are worth considering: network-policy isolation to restrict which URLs the InAppBrowser is permitted to load (blocking non-allowlisted origins at the egress layer), feature-flag gating to disable InAppBrowser functionality in environments where it is not essential, and review of allowlisted URL schemes to eliminate OAuth redirect or deep-link targets that an attacker could register or intercept. For customers with auto-remediation enabled, once the upstream fix ships, HarborGuard will initiate a rebuild at the fix version, run regression tests, and open a PR against affected workloads without manual intervention.

See how HarborGuard automates this

Affected packages

Apache Software Foundation / Cordova Plugin InAppBrowser
≤ 6.0.0

CVSS Vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

lists.apache.org

Metrics

Get notified