CVE-2026-35643

CVSS v3.1

8.8

High

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

OpenClaw before 2026.3.22 contains an unvalidated WebView JavascriptInterface vulnerability allowing attackers to inject arbitrary instructions. Untrusted pages can invoke the canvas bridge to execute malicious code within the Android application context.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-940

Related Identifiers

CVE-2026-35643

Affected Products

Openclaw

CVE-2026-35643

Weakness Enumeration

Related Identifiers

Affected Products

References · 6