CVE-2026-0628: WebView Policy Bypass in Android & Chrome Enables Unauthorized Script Execution

Aegiron 7 mins0

Product: Android System WebView / Google Chrome (WebView component)
Vendor: Google
CVE ID: CVE-2026-0628
CVSS v3.1 Score: 8.1 (High)
Severity: High
Attack Vector: Remote
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Exploitability: High
Exploit Availability: No confirmed public exploit at the time of patch release
Patch Release Date: 6 January 2026
Affected Platforms: Android applications using WebView, Chrome on Android

Overview

CVE-2026-0628 is a high-impact vulnerability affecting the WebView component used across Android applications and Chrome on Android. The issue is tied to gaps in how WebView enforces certain security policies, which under specific conditions can be bypassed.

When exploited, this flaw allows untrusted web content to execute JavaScript in ways that should normally be blocked. Any Android app that relies on WebView to display external or dynamically loaded content may be exposed, especially if strict controls are not already in place.

Technical Breakdown

At its core, the vulnerability is caused by incomplete or inconsistent policy validation inside WebView. Certain checks related to origin handling, script execution boundaries, or context isolation were not reliably enforced during specific navigation or rendering flows.

Because of this, carefully crafted web content can:

  • Circumvent expected WebView security restrictions
  • Execute scripts outside their intended scope
  • Interact with app-level WebView contexts that should remain isolated

This behavior breaks the trust boundary between embedded web content and the hosting Android application.

Exploitation Scenario

A realistic exploitation path looks like this:

  1. A user installs a legitimate Android application that embeds WebView.
  2. The app loads external content such as links, ads, or redirected pages.
  3. An attacker controls or injects a specially crafted webpage.
  4. When that page loads inside WebView:
    • Security policies are not fully enforced.
    • Malicious JavaScript executes with broader access than intended.
  5. The attacker may then:
    • Access exposed interfaces
    • Manipulate in-app content
    • Abuse the application’s trust in WebView-rendered data

No elevated permissions are required, and the device does not need to be rooted.

Impact Assessment

While this vulnerability does not directly allow full device takeover, it significantly weakens WebView’s isolation model. Potential consequences include:

  • Unauthorized JavaScript execution
  • Policy enforcement bypass
  • Cross-context script injection
  • Exposure of sensitive data handled by WebView-enabled apps
  • Increased phishing and session abuse risk

For apps that load third-party or user-controlled content, the risk is notably higher.

Proof of Concept Status

  • No public proof-of-concept code is currently available
  • The issue was validated through internal testing during responsible disclosure
  • Exploitation is considered feasible but not yet widely weaponized

Indicators of Malicious Activity

Teams should be alert to the following behaviors:

  • JavaScript executing unexpectedly inside WebView
  • WebView navigating to domains not defined in application logic
  • Unusual redirect chains or iframe injection
  • DOM manipulation occurring without user interaction

Example Payload Pattern

<script>
  if (window.AndroidInterface) {
    AndroidInterface.getSensitiveData();
  }
</script>

This illustrates a common attempt to reach restricted interfaces that should normally be blocked by WebView policy enforcement.

Detection and Monitoring

Recommended Log Sources

  • Android system logs (logcat)
  • Application-level WebView logging
  • Mobile network traffic monitoring
  • Mobile Threat Defense telemetry

Detection Focus Areas

  • Script execution from untrusted origins
  • Cross-origin access attempts
  • Repeated redirections to unfamiliar domains
  • WebView crashes followed by automatic reloads

Detection Rule

Logic Summary:

  • Identify JavaScript execution inside WebView
  • Source domain not on approved allowlist
  • Attempted access to native bridges or restricted APIs

Severity: High
Response: Block content, alert security teams, enforce application updates

MITRE ATT&CK Mapping

  • T1059.007 – JavaScript execution
  • T1203 – Exploitation for client-side execution
  • T1189 – Drive-by compromise
  • T1071.001 – Web-based application layer communication

Mitigation and Remediation

Immediate Steps

  • Update Chrome and Android System WebView to the latest versions
  • Enforce automatic updates across managed devices
  • Limit WebView access to trusted domains only

Hardening Recommendations

  • Use strict domain allowlists
  • Disable JavaScript where it is not required
  • Avoid exposing unnecessary JavaScript bridges
  • Consider runtime application self-protection controls

Official Patch

Google has released patched versions of Chrome and Android System WebView addressing CVE-2026-0628.

Official Patch Source:
https://chromereleases.googleblog.com/

Final Takeaway

CVE-2026-0628 is a reminder that embedded browsers remain a high-risk component if not carefully maintained. Even minor gaps in enforcement logic can be abused when web content is embedded inside trusted applications.

Keeping WebView updated and tightly controlled is essential — not optional.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.