{"data":{"id":"92c4f547-001d-4b98-8288-cb79be413366","title":"GHSA-cxmw-p77q-wchg: OpenClaw: Arbitrary code execution via unvalidated WebView JavascriptInterface","summary":"Android Canvas WebView pages (web content displayed inside an Android app) from untrusted sources could call the JavascriptInterface bridge (a connection that lets web code run native app commands), allowing attackers to inject malicious instructions into the app. The vulnerability was fixed by validating the origin (where the web content comes from) before allowing bridge calls.","solution":"Update to version 2026.3.22 or later. The fix validates page origin and rejects untrusted bridge calls, with trusted origin and path validation now centralized in CanvasActionTrust.kt.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-cxmw-p77q-wchg","publishedAt":"2026-03-26T19:30:52.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["openclaw@< 2026.3.22 (fixed: 2026.3.22)"],"affectedVendors":[],"affectedVendorsRaw":["OpenClaw"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":true,"disclosureDate":"2026-03-26T19:30:52.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.75,"researchCategory":null,"atlasIds":null}}