CVE-2026-35643 Overview
CVE-2026-35643 is a critical unvalidated WebView JavascriptInterface vulnerability affecting OpenClaw versions prior to 2026.3.22. This flaw allows attackers to inject arbitrary instructions through untrusted web pages that invoke the canvas bridge, enabling malicious code execution within the Android application context. The vulnerability represents a significant Mobile App security risk, as it enables remote exploitation through user interaction with compromised web content.
Critical Impact
Remote attackers can execute arbitrary code within the Android application context by exploiting the unvalidated WebView JavascriptInterface, potentially leading to full application compromise and data theft.
Affected Products
- OpenClaw versions prior to 2026.3.22
- OpenClaw Node.js package (all vulnerable versions)
- OpenClaw Android application components using WebView
Discovery Timeline
- 2026-04-10 - CVE-2026-35643 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-35643
Vulnerability Analysis
This vulnerability (classified under CWE-940: Improper Verification of Source of a Communication Channel) stems from improper validation in the WebView JavascriptInterface implementation. When a WebView loads untrusted content, the exposed JavascriptInterface methods can be invoked by malicious JavaScript without proper origin verification. This allows attackers to call sensitive bridge functions that were intended only for trusted content.
The canvas bridge component is particularly dangerous as it provides a pathway for executing operations within the application's security context. Successful exploitation requires user interaction—specifically, the victim must navigate to or be directed to a malicious webpage that contains the exploit code. Once triggered, the attacker gains the ability to execute arbitrary instructions with the same privileges as the host application.
Root Cause
The root cause is the absence of proper source verification for communications received through the WebView JavascriptInterface. OpenClaw failed to validate that incoming JavaScript calls to the canvas bridge originated from trusted sources, allowing any webpage loaded in the WebView to invoke sensitive methods. This design flaw violates the principle of least privilege and enables untrusted content to interact with privileged application components.
Attack Vector
The attack is network-based and requires user interaction. An attacker crafts a malicious webpage containing JavaScript that targets the exposed canvas bridge interface. When a victim loads this page within the OpenClaw application's WebView component, the malicious script invokes the unvalidated JavascriptInterface methods. These calls are processed as legitimate commands, allowing the attacker to execute arbitrary instructions within the application's context. The attack can be delivered through various vectors including phishing links, compromised websites, or malicious advertisements.
The vulnerability mechanism involves exploiting the exposed canvas bridge in the WebView JavascriptInterface. Malicious JavaScript on an untrusted page can invoke methods on the exposed interface object, bypassing intended security boundaries. For detailed technical information, refer to the GitHub Security Advisory and the VulnCheck Security Advisory.
Detection Methods for CVE-2026-35643
Indicators of Compromise
- Unexpected JavaScript execution patterns within the application's WebView logs
- Network traffic to suspicious or unknown domains during WebView sessions
- Anomalous invocations of canvas bridge methods from untrusted origins
- Application crashes or unexpected behavior following web navigation events
Detection Strategies
- Monitor WebView JavaScript bridge calls for suspicious method invocations from external origins
- Implement application-level logging to capture all JavascriptInterface method calls with source URLs
- Deploy mobile application security tools capable of detecting WebView exploitation attempts
- Review network traffic for indicators of malicious content delivery to WebView components
Monitoring Recommendations
- Enable verbose logging for WebView components during security testing and incident response
- Implement real-time alerting for unusual patterns in JavascriptInterface activity
- Conduct regular security audits of WebView configurations and exposed interfaces
- Monitor for attempted exploitation using behavioral analysis tools
How to Mitigate CVE-2026-35643
Immediate Actions Required
- Upgrade OpenClaw to version 2026.3.22 or later immediately
- If immediate upgrade is not possible, disable WebView components that expose JavascriptInterface methods
- Review and restrict which URLs can be loaded within the application's WebView
- Implement Content Security Policy restrictions where applicable
Patch Information
OpenClaw has released security patches addressing this vulnerability. The fixes are available in the following commits:
- Security patch commit 630f1479c44f78484dfa21bb407cbe6f171dac87
- Security patch commit 8b02ef133275be96d8aac2283100016c8a7f32e5
For complete security advisory details, see the GitHub Security Advisory GHSA-cxmw-p77q-wchg.
Workarounds
- Restrict WebView to load only trusted, whitelisted URLs
- Remove or disable the JavascriptInterface annotation on vulnerable bridge methods
- Implement origin validation checks before processing any JavascriptInterface calls
- Consider using alternative components that do not expose JavaScript bridges to untrusted content
# Verify OpenClaw version is patched
openclaw --version
# Expected output: 2026.3.22 or later
# Review application configuration for WebView restrictions
cat config/webview-settings.json | grep -E "(allowedOrigins|javascriptEnabled)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
