CVE-2026-35643

high

Description

OpenClaw before 2026.3.22 contains an unvalidated WebView JavascriptInterface vulnerability allowing attackers to inject arbitrary instructions. Untrusted pages can invoke the canvas bridge to execute malicious code within the Android application context.

References

Advisories
More

https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-unvalidated-webview-javascriptinterface

https://github.com/openclaw/openclaw/security/advisories/GHSA-cxmw-p77q-wchg

https://github.com/openclaw/openclaw/commit/8b02ef133275be96d8aac2283100016c8a7f32e5

https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87

Details

Source: Mitre, NVD

Published: 2026-04-10

Updated: 2026-04-13

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 8.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Severity: High

CVSS v4

Base Score: 8.6

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Severity: High

EPSS

EPSS: 0.00037