Improper Verification of Source of a Communication Channel in OpenClaw - #VU125182
Published: April 8, 2026
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary instructions in the app.
The vulnerability exists due to improper verification of source of a communication channel in the Android canvas WebView JavascriptInterface bridge when handling pages from untrusted origins. A remote attacker can load an attacker-controlled page that invokes the bridge to execute arbitrary instructions in the app.