CVE-2026-35643

OpenClaw before 2026.3.22 contains an unvalidated WebView JavascriptInterface vulnerability allowing attackers to inject arbitrary instructions. Untrusted pages can invoke the canvas bridge to execute malicious code within the Android application context...

CVE-2026-35643 OpenClaw < 2026.3.22 - Arbitrary Code Execution via Unvalidated WebView JavascriptInterface

OpenClaw before 2026.3.22 contains an unvalidated WebView JavascriptInterface vulnerability allowing attackers to inject arbitrary instructions. Untrusted pages can invoke the canvas bridge to execute malicious code within the Android application context...

CVE-2026-35643

OpenClaw, before 2026.3.22, is affected by an unvalidated WebView JavascriptInterface vulnerability that allows arbitrary code execution when untrusted pages invoke the canvas bridge to run code inside the Android app. Root cause: unvalidated JavascriptInterface exposure in WebView. Impact includ...

PT-2026-31958

OpenClaw before 2026.3.22 contains an unvalidated WebView JavascriptInterface vulnerability allowing attackers to inject arbitrary instructions. Untrusted pages can invoke the canvas bridge to execute malicious code within the Android application context...

GHSA-CXMW-P77Q-WCHG OpenClaw: Arbitrary code execution via unvalidated WebView JavascriptInterface

Summary Android Canvas WebView pages from untrusted origins could invoke the JavascriptInterface bridge and inject instructions into the app. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2...