CVE-2026-35643
OpenClaw < 2026.3.22 - Arbitrary Code Execution via Unvalidated WebView JavascriptInterface
CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
11th
OpenClaw before 2026.3.22 contains an unvalidated WebView JavascriptInterface vulnerability allowing attackers to inject arbitrary instructions. Untrusted pages can invoke the canvas bridge to execute malicious code within the Android application context.
| CWE | CWE-940 |
| Vendor | openclaw |
| Product | openclaw |
| Published | Apr 10, 2026 |
| Last Updated | Apr 14, 2026 |
Stay Ahead of the Next One
Get instant alerts for openclaw openclaw
Be the first to know when new high vulnerabilities affecting openclaw openclaw are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
OpenClaw / OpenClaw
0 < 2026.3.22
References
github.com: https://github.com/openclaw/openclaw/security/advisories/GHSA-cxmw-p77q-wchg github.com: https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87 github.com: https://github.com/openclaw/openclaw/commit/8b02ef133275be96d8aac2283100016c8a7f32e5 vulncheck.com: https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-unvalidated-webview-javascriptinterface
Credits
๐ cyjhhh