📄 Description (English)
OpenClaw before 2026.3.22 contains an unvalidated WebView JavascriptInterface vulnerability allowing attackers to inject arbitrary instructions. Untrusted pages can invoke the canvas bridge to execute malicious code within the Android application context.
🤖 AI Executive Summary
OpenClaw versions before 2026.3.22 contain a critical WebView JavascriptInterface vulnerability (CVE-2026-35643) that allows attackers to inject and execute arbitrary code within Android applications through an unvalidated canvas bridge. This high-severity vulnerability (CVSS 8.8) affects Node.js-based implementations and could enable unauthorized access to sensitive application data and device resources. Organizations using OpenClaw in mobile applications should prioritize immediate patching to prevent potential compromise of user data and application integrity.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 23, 2026 07:38
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations most at risk include: (1) Banking sector (SAMA-regulated institutions) using OpenClaw in mobile banking applications for customer-facing services; (2) Government agencies (NCA oversight) deploying mobile applications for citizen services; (3) Telecommunications providers (STC, Mobily) utilizing OpenClaw in customer apps; (4) Healthcare organizations using mobile health applications; (5) E-commerce and fintech companies processing financial transactions. The vulnerability could lead to unauthorized access to sensitive financial data, personal information, and compromise of authentication mechanisms in mobile banking and payment applications widely used across Saudi Arabia.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Telecommunications
Healthcare
E-commerce and Fintech
Insurance
Retail
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all applications using OpenClaw framework across your organization
2. Audit WebView implementations for JavascriptInterface usage and canvas bridge functionality
3. Disable or restrict untrusted page loading in WebView configurations
PATCHING GUIDANCE:
1. Upgrade OpenClaw to version 2026.3.22 or later immediately
2. Test patched versions in staging environment before production deployment
3. Implement staged rollout for mobile applications to minimize user impact
4. Verify patch effectiveness by reviewing WebView security settings post-update
COMPENSATING CONTROLS (if immediate patching not possible):
1. Implement strict Content Security Policy (CSP) headers to prevent script injection
2. Disable JavaScript execution in WebView where not functionally required
3. Restrict WebView to load only from trusted, HTTPS-verified sources
4. Implement additional input validation and sanitization for all user-supplied data
5. Use WebView's addJavascriptInterface() only for essential functionality with explicit allowlisting
DETECTION RULES:
1. Monitor for suspicious JavaScript execution patterns in application logs
2. Alert on unexpected canvas bridge invocations or unusual parameter values
3. Track WebView loading of non-whitelisted domains
4. Monitor for privilege escalation attempts following WebView interactions
5. Implement runtime application self-protection (RASP) to detect code injection attempts
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع التطبيقات التي تستخدم إطار عمل OpenClaw في جميع أنحاء المنظمة
2. تدقيق تطبيقات WebView للتحقق من استخدام JavascriptInterface وجسر canvas
3. تعطيل أو تقييد تحميل الصفحات غير الموثوقة في إعدادات WebView
إرشادات التصحيح:
1. ترقية OpenClaw إلى الإصدار 2026.3.22 أو أحدث على الفور
2. اختبار الإصدارات المصححة في بيئة التجريب قبل نشرها في الإنتاج
3. تنفيذ طرح مرحلي للتطبيقات المحمولة لتقليل تأثير المستخدم
4. التحقق من فعالية التصحيح بمراجعة إعدادات أمان WebView بعد التحديث
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
1. تطبيق سياسة أمان المحتوى الصارمة (CSP) لمنع حقن البرامج النصية
2. تعطيل تنفيذ JavaScript في WebView حيث لا يكون مطلوباً وظيفياً
3. تقييد WebView لتحميل البيانات فقط من مصادر موثوقة معتمدة عبر HTTPS
4. تطبيق التحقق من الصحة والتنظيف الإضافي لجميع البيانات المدخلة من المستخدم
5. استخدام addJavascriptInterface() فقط للوظائف الأساسية مع قائمة بيضاء صريحة
قواعد الكشف:
1. مراقبة أنماط تنفيذ JavaScript المريبة في سجلات التطبيق
2. التنبيه على استدعاءات جسر canvas غير المتوقعة أو قيم المعاملات غير العادية
3. تتبع تحميل WebView من النطاقات غير المدرجة في القائمة البيضاء
4. مراقبة محاولات تصعيد الامتيازات بعد تفاعلات WebView
5. تطبيق حماية التطبيق الذاتية في وقت التشغيل (RASP) للكشف عن محاولات حقن الأكواد
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Information Security Policies and Procedures
ECC 2024 A.6.1.1 - Access Control and Authentication
ECC 2024 A.8.1.1 - Cryptography and Data Protection
ECC 2024 A.12.2.1 - Change Management
ECC 2024 A.14.2.1 - Vulnerability Management
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Software and Hardware Asset Management
SAMA CSF PR.AC-1 - Access Control and Authentication
SAMA CSF PR.PT-2 - Data Protection and Privacy
SAMA CSF DE.CM-1 - Detection and Analysis
SAMA CSF RS.MI-1 - Incident Response and Recovery
🟡 ISO 27001:2022
ISO 27001:2022 A.5.1 - Policies for Information Security
ISO 27001:2022 A.6.1 - Organization of Information Security
ISO 27001:2022 A.8.1 - Asset Management
ISO 27001:2022 A.12.6 - Change Management
ISO 27001:2022 A.14.2 - Information Security Incident Management
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Security Patches and Updates
PCI DSS 6.5.1 - Injection Flaws Prevention
PCI DSS 11.2 - Vulnerability Scanning
🔗 References & Sources 4
🔗
https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87
disclosure@vulncheck.com
Patch
🔗
https://github.com/openclaw/openclaw/commit/8b02ef133275be96d8aac2283100016c8a7f32e5
disclosure@vulncheck.com
Patch
🔗
https://github.com/openclaw/openclaw/security/advisories/GHSA-cxmw-p77q-wchg
disclosure@vulncheck.com
Vendor Advisory
🔗
https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-unvalidated-...
disclosure@vulncheck.com
Third Party Advisory
📦 Affected Products / CPE 1 entries
openclaw:openclaw