Primary

Context

OpenClaw WebView JavascriptInterface Vulnerability Allowing Arbitrary Code Execution

Vulnerability

A vulnerability exists in OpenClaw versions prior to 2026.3.22, where the WebView JavascriptInterface is not properly validated. This flaw allows untrusted web pages to inject and execute arbitrary instructions through the canvas bridge, within the context of the Android application.

Impact

Exploitation of this vulnerability allows for arbitrary code execution within the OpenClaw Android application.

Reproduction

To reproduce this vulnerability, load an untrusted web page into the OpenClaw WebView. The page can then invoke the canvas bridge via the JavascriptInterface, executing injected code within the app.

Remediation

Users can update to OpenClaw version 2026.3.22 or later to address this vulnerability.

Added: Apr 10, 2026, 6:39 PM

Updated: Apr 10, 2026, 6:39 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

7.2

remediation

0.0

relevance

5.6

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

7.2

remediation

0.0

relevance

5.6

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenClaw WebView JavascriptInterface Vulnerability Allowing Arbitrary Code Execution

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating