CVE-2026-35643
Published: 10 April 2026
Summary
CVE-2026-35643 is a high-severity Improper Verification of Source of a Communication Channel (CWE-940) vulnerability in Openclaw Openclaw. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 12.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces validation of untrusted inputs from WebView JavascriptInterfaces to prevent attackers from injecting arbitrary instructions into the Android application context.
Requires timely identification, reporting, and correction of flaws like the unvalidated JavascriptInterface vulnerability through patching to OpenClaw 2026.3.22 or later.
Configures the system to provide only essential capabilities, prohibiting or restricting unnecessary JavascriptInterfaces such as the vulnerable canvas bridge.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The unvalidated WebView JavascriptInterface vulnerability directly enables arbitrary code execution from malicious web content loaded in the client Android application, mapping to exploitation for client execution.
NVD Description
OpenClaw before 2026.3.22 contains an unvalidated WebView JavascriptInterface vulnerability allowing attackers to inject arbitrary instructions. Untrusted pages can invoke the canvas bridge to execute malicious code within the Android application context.
Deeper analysisAI
CVE-2026-35643 is an unvalidated WebView JavascriptInterface vulnerability in OpenClaw versions prior to 2026.3.22. The flaw enables attackers to inject arbitrary instructions by exploiting the canvas bridge, allowing untrusted web pages loaded in the Android application's WebView to execute malicious code within the application's context. This issue is classified under CWE-940 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
Attackers can exploit this vulnerability remotely over the network with low complexity and no required privileges, though it necessitates user interaction, such as loading a malicious or compromised web page in the affected WebView. Successful exploitation grants arbitrary code execution in the Android application context, potentially leading to high confidentiality, integrity, and availability impacts, including data theft, app compromise, or further system-level attacks depending on app permissions.
Mitigation is addressed in OpenClaw patches via GitHub commits 630f1479c44f78484dfa21bb407cbe6f171dac87 and 8b02ef133275be96d8aac2283100016c8a7f32e5, with full details in the project's security advisory at GHSA-cxmw-p77q-wchg. Security practitioners should update to OpenClaw 2026.3.22 or later and review VulnCheck's advisory at www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-unvalidated-webview-javascriptinterface for additional analysis.
Details
- CWE(s)