CVE-2026-47430: Cordova InAppBrowser Callback ID Spoofing (iOS)
A vulnerability in the Apache Cordova InAppBrowser plugin (versions 3.1.0–6.0.0) allows attackers to trick iOS apps into executing unintended plugin callbacks. When an app displays untrusted content in InAppBrowser—such as a social login redirect or marketing landing page—an attacker can craft a malicious message that fires callbacks meant for other installed plugins (like Camera, Contacts, or Geolocation). Because Cordova uses predictable callback naming, attackers can enumerate and target these IDs without specialized knowledge. The result is that the attacker can spoof plugin results: falsely approving a camera request, injecting fake contacts, or returning fabricated file data—all appearing to come from legitimate plugin operations.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
- Weaknesses (CWE)
- CWE-20
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-06-30
NVD description (verbatim)
## Summary The iOS implementation of `cordova-plugin-inappbrowser` passes the `id` field from a `WKScriptMessage` body to `commandDelegate sendPluginResult:callbackId:` with no format validation (`CDVWKInAppBrowser.m:560–574`). Any web content loaded inside the InAppBrowser can fire any pending Cordova callback in the host app by posting a message whose `id` field is a guessable or enumerated callback identifier. An attack abusing this weakness must be tailored to the specific plugins and callback IDs the host app uses. Though an attacker with knowledge of common Cordova plugin configurations could craft reusable payloads targeting widely-adopted plugins. ## Impact An unauthenticated remote attacker who controls content displayed in the InAppBrowser — via a URL the app opens (OAuth redirect, marketing link, deep-link target) or a network interception — can call `window.webkit.messageHandlers.cordova_iab.postMessage({id: '<victim-callback-id>', d: '...'})` to fire callbacks belonging to any other installed Cordova plugin (Camera, Contacts, File, Geolocation). Cordova callback IDs follow the predictable format `<PluginName><sequential-integer>`, making enumeration feasible. Successful exploitation allows the attacker to spoof plugin results across trust boundaries — for example, injecting a forged camera approval, a fabricated contacts list, or a crafted file-read response. This issue affects Cordova Plugin InAppBrowser: from 3.1.0 through 6.0.0. Users are recommended to upgrade to version 6.0.1, which fixes the issue.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in `CDVWKInAppBrowser.m` (lines 560–574), where the `id` field from incoming `WKScriptMessage` bodies is passed directly to `commandDelegate sendPluginResult:callbackId:` without validation. Web content running in the InAppBrowser context can post messages via `window.webkit.messageHandlers.cordova_iab.postMessage({id: '<callback-id>', d: '...'})`. Cordova callback identifiers follow a predictable enumerable format—`<PluginName><integer>`—enabling attackers to systematically target callbacks for commonly installed plugins. By supplying a valid callback ID, an attacker can invoke any pending callback in the host app's plugin ecosystem, allowing result spoofing across trust boundaries. The flaw is a failure to validate that the callback ID belongs to the InAppBrowser's own scope, conflating the browser's message handling with the host application's plugin invocation chain.
Business impact
Organizations relying on Cordova-based iOS apps that implement InAppBrowser for OAuth flows, marketing content, deep links, or embedded web views face integrity risk. An attacker controlling or intercepting content shown in the browser can forge plugin results, undermining security controls that depend on genuine plugin approval flows (e.g., falsifying biometric or camera consent). This is particularly dangerous for financial, health, or identity-verification apps where camera, contact, or geolocation callbacks carry business logic. The attack requires no user interaction or authentication, making it a remote threat from any attacker-controlled or compromised web endpoint the app visits. Remediation is straightforward—upgrade to 6.0.1—but unpatched apps remain vulnerable indefinitely.
Affected systems
Apache Cordova InAppBrowser plugin versions 3.1.0 through 6.0.0 are vulnerable. Any iOS application using this plugin range is at risk if it: (1) opens InAppBrowser to load external or user-controlled URLs, (2) relies on callbacks from other Cordova plugins (Camera, Contacts, File, Geolocation, etc.), and (3) does not implement secondary validation of plugin callback results. Apps that use InAppBrowser only for static local content or sandbox-isolated contexts are at lower risk. The fix is available in version 6.0.1 and later.
Exploitability
Exploitability is straightforward for attackers who can control or intercept content loaded in the InAppBrowser. No special privileges, authentication, or user interaction is required. The barrier to exploitation is knowledge of which plugins the target app uses and enumeration of their callback IDs—a reconnaissance task that can be automated or informed by reverse engineering the app binary. Publicly documented Cordova plugins (Camera, Contacts, Geolocation) are obvious candidates, and a reusable proof-of-concept payload targeting these commonly installed plugins would likely work against many unpatched apps. The attack surface is broad: any URL opened in InAppBrowser (OAuth redirects, marketing links, deep-link targets, network-intercepted endpoints) becomes an attack vector.
Remediation
Upgrade cordova-plugin-inappbrowser to version 6.0.1 or later. This patch validates callback IDs and prevents cross-plugin callback invocation. Organizations should: (1) audit app dependencies to identify the current InAppBrowser version, (2) plan an app release cycle incorporating the upgrade, (3) consider phased rollout if supporting older app versions, and (4) review plugin usage post-upgrade to ensure no regressions. For applications unable to upgrade immediately, implement secondary validation of plugin callback results—verify that sensitive operations (camera, contacts, location access) have been re-approved by the user or that the callback result matches expected data patterns.
Patch guidance
Upgrade cordova-plugin-inappbrowser to version 6.0.1 or later. Verify the patch in your release notes or the Apache Cordova repository. After upgrading, retest any flows that invoke callbacks from other plugins (e.g., camera capture, contact picker, file selection) to ensure no regressions. If your app uses multiple Cordova plugins, ensure all are compatible with the patched InAppBrowser version. Test in both development and staging environments before pushing to production.
Detection guidance
Monitor for signs of exploitation: (1) Unexpected plugin callback invocations without corresponding user interaction (e.g., camera approved without user consent dialog), (2) Unusual or out-of-sequence plugin results in logs, (3) Reports from users that plugin flows appear to succeed when they should fail, or vice versa. Review app version metrics to identify how many users remain on vulnerable versions (3.1.0–6.0.0). Consider adding defensive logging around sensitive plugin callback handlers to detect spoofed results. Reverse-engineering threat actors' payloads is difficult without access to attacker infrastructure, but behavioral anomalies in plugin callback sequences are detectable in client-side logging or crash reports.
Why prioritize this
This vulnerability merits high priority despite lacking KEV status because it combines high exploitability (no user interaction, network accessible), predictable attack patterns, and meaningful business impact across multiple Cordova-dependent applications. The ease of crafting payloads and the breadth of potential targets make it likely to be exploited opportunistically once public details emerge. The fix is low-friction (a version bump), so prioritize patching unpatched apps and validate remediation quickly.
Risk score, explained
CVSS 3.1 score of 7.5 (HIGH) reflects network accessibility, no privilege or user interaction requirements, and high integrity impact (spoof of plugin results). Attack complexity is low—enumeration of callback IDs is straightforward. Confidentiality and availability are not directly impacted (C:N, A:N), hence the integrity-focused score. In context, the real-world risk may be higher for apps handling sensitive operations (finance, health, identity verification) where spoofed plugin results have critical downstream effects.
Frequently asked questions
Can this vulnerability affect Android Cordova apps?
No, this CVE is specific to the iOS implementation (CDVWKInAppBrowser.m). Android Cordova apps use a different browser implementation and are not affected by this flaw.
What happens if my app doesn't use any other Cordova plugins, only InAppBrowser?
If your app uses InAppBrowser in isolation and does not load other Cordova plugins, the vulnerability cannot be exploited because there are no other plugin callbacks to target. However, upgrading to 6.0.1 is still recommended for defense in depth and to mitigate the risk if your app architecture changes in the future.
Is there a way to detect if I'm running a vulnerable version?
Yes. Check your app's dependency configuration (package.json, if using npm) or your Cordova plugins list (`cordova plugin ls`). The vulnerable versions are 3.1.0 through 6.0.0 inclusive. You can also inspect your compiled app's library metadata if you have access to the build artifacts.
Can attackers craft a universal payload that works on all apps?
Attackers can craft payloads targeting commonly installed plugins (Camera, Contacts, Geolocation) that will likely work across many apps. However, a truly universal payload is unlikely because callback IDs are generated per-app and some apps may use different plugin suites. Success requires the attacker to know or guess which plugins the target app uses.
This analysis is based on the public CVE record and vendor advisory as of the published date. No exploit code or weaponized proof-of-concept is provided. Organizations should verify patch applicability and compatibility within their specific environment before deployment. This summary does not constitute legal, compliance, or warranty advice. For authoritative guidance, consult the Apache Cordova security advisory and your organization's security and development teams. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-42588HIGHApache ActiveMQ Remote Code Execution via Jolokia Code Injection
- CVE-2026-45505HIGHApache ActiveMQ Code Injection Vulnerability—Exploit & Patch Guidance
- CVE-2025-22424HIGHAndroid Local Privilege Escalation via Image Disclosure
- CVE-2026-0078HIGHAndroid Privilege Escalation via DevicePolicyManagerService Desync
- CVE-2026-0419HIGHNETGEAR JR6150 Command Injection via Insufficient Input Validation
- CVE-2026-10020HIGHChrome Android Sandbox Escape via Skia Input Validation Flaw
- CVE-2026-10021HIGHGoogle Chrome USB Validation Flaw – RCE Vulnerability Patch
- CVE-2026-10863HIGHMISP Correlations Query Ordering Vulnerability (CVSS 8.1)