GHSA-cxmw-p77q-wchg: OpenClaw: Arbitrary code execution via unvalidated WebView JavascriptInterface
highvulnerability
security
Source: GitHub Advisory DatabaseMarch 26, 2026
Summary
Android Canvas WebView pages (web content displayed inside an Android app) from untrusted sources could call the JavascriptInterface bridge (a connection that lets web code run native app commands), allowing attackers to inject malicious instructions into the app. The vulnerability was fixed by validating the origin (where the web content comes from) before allowing bridge calls.
Solution / Mitigation
Update to version 2026.3.22 or later. The fix validates page origin and rejects untrusted bridge calls, with trusted origin and path validation now centralized in CanvasActionTrust.kt.
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
integrityconfidentiality
Affected Vendors
Affected Packages
openclaw@< 2026.3.22 (fixed: 2026.3.22)
Related Issues
Original source: https://github.com/advisories/GHSA-cxmw-p77q-wchg
First tracked: March 26, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 75%