CVE-2026-35643: OpenClaw Android RCE

Vendor-confirmed - CVE-2026-35643 is a high arbitrary code execution in OpenClaw Android prior to 2026.3.22 that lets attackers run native commands on victims’ devices via a malicious webpage.

Overview

A high-severity vulnerability, CVE-2026-35643, has been identified in the OpenClaw Android application. Versions prior to 2026.3.22 contain an unvalidated JavascriptInterface in a WebView component. This flaw allows a malicious webpage to invoke the application’s internal canvas bridge, leading to arbitrary code execution within the app’s context.

Technical Details

The vulnerability stems from improper security controls in the app’s WebView implementation. A JavascriptInterface named canvas is exposed to web content without proper validation. When a user navigates to an attacker-controlled webpage, that page can call this interface to inject and execute native instructions. The attack complexity is low, requiring no special privileges, but does require user interaction, such as clicking a link.

Impact

Successful exploitation grants an attacker the ability to execute code with the permissions of the vulnerable OpenClaw application. This could lead to data theft, unauthorized access to device features the app can use, or a foothold for further attacks on the device. The risk is significant for any user running an affected version of the app.

Remediation and Mitigation

The primary remediation is to update OpenClaw to version 2026.3.22 or later immediately. The vendor has addressed the flaw by implementing proper validation for the WebView bridge.

If an immediate update is not possible, consider these mitigations:

• Advise users to avoid clicking on untrusted links within the app or from external sources that may open the app.
• As a broader security measure, review and restrict the ability to sideload unverified applications on enterprise-managed devices to reduce the overall attack surface.
• Monitor network traffic for anomalies that may indicate attempted exploitation.

## Security Insight

This vulnerability highlights the persistent risk of insecure WebView configurations in mobile applications, a class of flaw often leading to severe impacts like those seen in ransomware exploiting zero-days. It underscores the critical need for developers to rigorously audit all bridges between web content and native code, similar to the data isolation principles violated in cross-tenant data leaks. The fix in version 2026.3.22 suggests the OpenClaw development lifecycle previously lacked sufficient security review for these high-risk components.

Further Reading

• Google Adds 24-Hour Wait for Unverified App Sideloading
• Interlock Ransomware Exploits Cisco FMC Zero-Day
• New ‘LeakyLooker’ Flaws in Google Looker Studio Could
• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs