CVE-2026-35643: OpenClaw: Arbitrary code execution via unvalidated WebView JavascriptInterface

March 26, 2026 (updated April 10, 2026)

Android Canvas WebView pages from untrusted origins could invoke the JavascriptInterface bridge and inject instructions into the app.

References

github.com/advisories/GHSA-cxmw-p77q-wchg
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87
github.com/openclaw/openclaw/security/advisories/GHSA-cxmw-p77q-wchg
nvd.nist.gov/vuln/detail/CVE-2026-35643

Code Behaviors & Features

Detect and mitigate CVE-2026-35643 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →