Skip to main content

Google EUVDEUVD-2026-21438

| CVE-2026-35643 HIGH
Improper Verification of Source of a Communication Channel (CWE-940)
2026-04-10 VulnCheck GHSA-cxmw-p77q-wchg
8.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Apr 10, 2026 - 16:30 euvd
EUVD-2026-21438
Analysis Generated
Apr 10, 2026 - 16:30 vuln.today
Patch released
Apr 10, 2026 - 16:30 nvd
Patch available
CVE Published
Apr 10, 2026 - 16:03 nvd
HIGH 8.6

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 5 npm packages depend on openclaw (5 direct, 0 indirect)

Ecosystem-wide dependent count for version 2026.3.22.

DescriptionCVE.org

OpenClaw before 2026.3.22 contains an unvalidated WebView JavascriptInterface vulnerability allowing attackers to inject arbitrary instructions. Untrusted pages can invoke the canvas bridge to execute malicious code within the Android application context.

AnalysisAI

Remote code execution in OpenClaw Android application (versions before 2026.3.22) allows unauthenticated attackers to execute arbitrary code through an unvalidated WebView JavascriptInterface. Attackers craft malicious web pages that invoke the exposed canvas bridge, executing instructions within the application's Android context when users interact with untrusted content. The vulnerability requires user interaction but no authentication, enabling high-severity compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis.

Technical ContextAI

CWE-940 flaw in Android WebView implementation exposes JavascriptInterface without proper origin validation. The canvas bridge interface accepts commands from any loaded webpage, bypassing Android's security boundary between web content and native application code. Affects cpe:2.3:a:openclaw:openclaw prior to 2026.3.22 release.

RemediationAI

Vendor-released patch: upgrade to OpenClaw version 2026.3.22 or later, which addresses the unvalidated JavascriptInterface exposure. The fix implements proper origin validation for WebView bridge methods and restricts JavaScript interface access to trusted content sources. Upstream commits 630f1479c44f78484dfa21bb407cbe6f171dac87 and 8b02ef133275be96d8aac2283100016c8a7f32e5 contain the security patches. Until upgrade is feasible, disable WebView functionality or restrict application usage to prevent loading untrusted web content. Consult vendor advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-cxmw-p77q-wchg and VulnCheck analysis: https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-unvalidated-webview-javascriptinterface for additional implementation guidance.

Share

EUVD-2026-21438 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy