Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Blast Radius
ecosystem impact- 5 npm packages depend on openclaw (5 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.3.22.
DescriptionCVE.org
OpenClaw before 2026.3.22 contains an unvalidated WebView JavascriptInterface vulnerability allowing attackers to inject arbitrary instructions. Untrusted pages can invoke the canvas bridge to execute malicious code within the Android application context.
AnalysisAI
Remote code execution in OpenClaw Android application (versions before 2026.3.22) allows unauthenticated attackers to execute arbitrary code through an unvalidated WebView JavascriptInterface. Attackers craft malicious web pages that invoke the exposed canvas bridge, executing instructions within the application's Android context when users interact with untrusted content. The vulnerability requires user interaction but no authentication, enabling high-severity compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis.
Technical ContextAI
CWE-940 flaw in Android WebView implementation exposes JavascriptInterface without proper origin validation. The canvas bridge interface accepts commands from any loaded webpage, bypassing Android's security boundary between web content and native application code. Affects cpe:2.3:a:openclaw:openclaw prior to 2026.3.22 release.
RemediationAI
Vendor-released patch: upgrade to OpenClaw version 2026.3.22 or later, which addresses the unvalidated JavascriptInterface exposure. The fix implements proper origin validation for WebView bridge methods and restricts JavaScript interface access to trusted content sources. Upstream commits 630f1479c44f78484dfa21bb407cbe6f171dac87 and 8b02ef133275be96d8aac2283100016c8a7f32e5 contain the security patches. Until upgrade is feasible, disable WebView functionality or restrict application usage to prevent loading untrusted web content. Consult vendor advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-cxmw-p77q-wchg and VulnCheck analysis: https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-unvalidated-webview-javascriptinterface for additional implementation guidance.
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21438
GHSA-cxmw-p77q-wchg