Description
## Summary

The iOS implementation of `cordova-plugin-inappbrowser` passes the `id` field from a `WKScriptMessage` body to `commandDelegate sendPluginResult:callbackId:` with no format validation (`CDVWKInAppBrowser.m:560–574`). Any web content loaded inside the InAppBrowser can fire any pending Cordova callback in the host app by posting a message whose `id` field is a guessable or enumerated callback identifier. An attack abusing this weakness must be tailored to the specific plugins and callback IDs the host app uses. Though an attacker with knowledge of common Cordova plugin configurations could craft reusable payloads targeting widely-adopted plugins.


## Impact

An unauthenticated remote attacker who controls content displayed in the InAppBrowser — via a URL the app opens (OAuth redirect, marketing link, deep-link target) or a network interception — can call `window.webkit.messageHandlers.cordova_iab.postMessage({id: '<victim-callback-id>', d: '...'})` to fire callbacks belonging to any other installed Cordova plugin (Camera, Contacts, File, Geolocation). Cordova callback IDs follow the predictable format `<PluginName><sequential-integer>`, making enumeration feasible. Successful exploitation allows the attacker to spoof plugin results across trust boundaries — for example, injecting a forged camera approval, a fabricated contacts list, or a crafted file-read response.

This issue affects Cordova Plugin InAppBrowser: from 3.1.0 through 6.0.0.

Users are recommended to upgrade to version 6.0.1, which fixes the issue.
Published: 2026-06-08
Score: 9.5 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The iOS implementation of the cordova-plugin-inappbrowser forwards the callback identifier contained in a WKScriptMessage directly to the Cordova runtime without performing any validation. This oversight allows any web content rendered inside an InAppBrowser window to trigger any pending Cordova callback by sending a crafted message containing a guessed or enumerated callback identifier. Because Cordova callback identifiers follow a predictable pattern—typically the plugin name concatenated with a sequence number—an attacker can enumerate valid identifiers for common plugins such as Camera, Contacts, File, and Geolocation. The consequence is that forged responses can be injected into the host application, potentially providing fake data or unauthorized approval of device resources, thereby enabling data leakage or unauthorized device interaction.

Affected Systems

Apache Cordova Plugin InAppBrowser versions from 3.1.0 through 6.0.0 are affected. The issue was fixed in version 6.0.1, which introduces validation of the callback identifier.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.5, indicating a critical risk. EPSS data is not available, and the issue is not listed in CISA KEV. An attacker does not need privileged access; they only require control over the content displayed in an InAppBrowser instance, such as via a malicious URL loaded during a redirect or through network interception. The predictability of callback identifiers lowers the barrier to exploitation, making the threat feasible for applications that embed commonly used Cordova plugins.

Generated by OpenCVE AI on June 8, 2026 at 12:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Cordova Plugin InAppBrowser to version 6.0.1 or later, which validates callback identifiers.
  • Configure InAppBrowser to load content only from trusted domains or disable the component when handling untrusted content, thereby reducing the attack surface.
  • Implement an additional runtime check that verifies callback identifiers against the expected pattern or a whitelist before dispatching plugin results, providing a temporary protection until the official patch is applied.

Generated by OpenCVE AI on June 8, 2026 at 12:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q42j-x8rq-pjg6 Cordova Plugin InAppBrowser: iOS: Arbitrary Cordova callback IDs can be dispatched without validation from InAppBrowser WebViews.
History

Tue, 09 Jun 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache cordova In-app-browser
Vendors & Products Apache
Apache cordova In-app-browser

Mon, 08 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
Description ## Summary The iOS implementation of `cordova-plugin-inappbrowser` passes the `id` field from a `WKScriptMessage` body to `commandDelegate sendPluginResult:callbackId:` with no format validation (`CDVWKInAppBrowser.m:560–574`). Any web content loaded inside the InAppBrowser can fire any pending Cordova callback in the host app by posting a message whose `id` field is a guessable or enumerated callback identifier. An attack abusing this weakness must be tailored to the specific plugins and callback IDs the host app uses. Though an attacker with knowledge of common Cordova plugin configurations could craft reusable payloads targeting widely-adopted plugins. ## Impact An unauthenticated remote attacker who controls content displayed in the InAppBrowser — via a URL the app opens (OAuth redirect, marketing link, deep-link target) or a network interception — can call `window.webkit.messageHandlers.cordova_iab.postMessage({id: '<victim-callback-id>', d: '...'})` to fire callbacks belonging to any other installed Cordova plugin (Camera, Contacts, File, Geolocation). Cordova callback IDs follow the predictable format `<PluginName><sequential-integer>`, making enumeration feasible. Successful exploitation allows the attacker to spoof plugin results across trust boundaries — for example, injecting a forged camera approval, a fabricated contacts list, or a crafted file-read response. This issue affects Cordova Plugin InAppBrowser: from 3.1.0 through 6.0.0. Users are recommended to upgrade to version 6.0.1, which fixes the issue.
Title Cordova Plugin InAppBrowser: iOS: Arbitrary Cordova callback IDs can be dispatched without validation from InAppBrowser WebViews
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 9.5, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Apache Cordova In-app-browser
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-08T12:56:23.693Z

Reserved: 2026-05-19T19:48:39.914Z

Link: CVE-2026-47430

cve-icon Vulnrichment

Updated: 2026-06-08T11:41:19.007Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-08T12:16:32.193

Modified: 2026-06-08T14:57:49.490

Link: CVE-2026-47430

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T08:45:37Z

Weaknesses
  • CWE-20

    Improper Input Validation