CVE-2026-47430: Cordova InAppBrowser iOS Callback Hijack Flaw

Apache has disclosed a critical-rated vulnerability in the widely used cordova-plugin-inappbrowser that exposes iOS mobile applications to cross-boundary callback hijacking, enabling unauthenticated remote attackers to spoof plugin results, forge device permissions, and inject fabricated data all without any user interaction beyond visiting a malicious link.

CVE-2026-47430 is an important-severity security vulnerability affecting the iOS implementation of cordova-plugin-inappbrowser, a widely deployed Apache Cordova plugin used to render external web content inside hybrid mobile apps.

Disclosed on June 7, 2026, by security researcher Niklas Merz and tracked under Apache Jira issue #1152, the flaw resides in the way the plugin processes WKScriptMessage bodies passed through Apple’s WebKit message handler interface. The vulnerability affects all plugin versions from 3.1.0 through 6.0.0 and has been patched in the newly released version 6.0.1.

The plugin is commonly integrated into Cordova-based hybrid apps, including those built with Ionic and PhoneGap, to display OAuth flows, marketing pages, deep-link targets, or embedded web dashboards without navigating the user away from the native app context.

The vulnerability originates in a single critical code path in CDVWKInAppBrowser.m at lines 560–574. When the InAppBrowser WebView receives a WKScriptMessage, the iOS implementation blindly extracts the id field from the message body and passes it directly to commandDelegate sendPluginResult:callbackId: without any format or ownership validation.

In a correctly secured implementation, only the plugin that registered a callback should be able to resolve it. However, this flaw means that any JavaScript executing inside the InAppBrowser iframe can craft a crafted postMessage call such as:

window.webkit.messageHandlers.cordova_iab.postMessage({
  id: '<victim-callback-id>',
  d: '<forged-result-payload>'
});

This message is silently routed to commandDelegate, which dispatches the result to whichever native Cordova plugin owns the targeted callback, completely bypassing trust boundaries.

The attacker does not need to know the exact callback ID ahead of time because Cordova generates callback IDs in the highly predictable format <PluginName><sequential-integer> (e.g., Camera1, Contacts2, File3) making systematic enumeration entirely feasible.

This vulnerability is particularly dangerous because exploitation does not require a pre-installed malicious app or a compromised device. An unauthenticated remote attacker who controls content displayed inside an InAppBrowser window through any of the following vectors can trigger the attack:

• OAuth redirect interception: Many apps open OAuth flows (Google, Facebook, Apple Sign-In) inside an InAppBrowser. If the redirect target is attacker-controlled or can be intercepted via a man-in-the-middle on an unsecured network, the attacker gains a foothold.
• Malicious marketing or deep links: Apps that open promotional URLs, click-through banners, or CRM-generated deep links inside InAppBrowser windows are directly exposed.
• Network-level interception: Any HTTP (non-TLS) page opened in the InAppBrowser allows an on-path attacker to inject JavaScript payloads.

Once content is served inside the InAppBrowser, the attacker can enumerate predictable Cordova callback IDs and fire forged results against any active plugin in the host application. Targeted plugins include but are not limited to the Camera, Contacts, File, and Geolocation plugins.

Practical exploitation scenarios include: injecting a forged camera permission approval to silently trigger photo capture; fabricating a contacts list response to harvest personal data; spoofing a geolocation result to manipulate location-aware logic; or delivering a fake file-read response to corrupt app-level data processing workflows.

Affected Ecosystem

The vulnerability affects cordova-plugin-inappbrowser versions 3.1.0 through 6.0.0. Given that version 6.0.0 was released in November 2023 as a major update requiring cordova-android@10.0.0 and cordova-ios@6.0.0, a significant portion of the currently active Cordova ecosystem running modern iOS targets falls squarely within the vulnerable range. Any Cordova-based hybrid app that meets these criteria is at risk:

• The app uses cordova-plugin-inappbrowser v3.1.0–6.0.0 on iOS
• The app opens external or semi-trusted URLs inside the InAppBrowser
• The app has other plugins installed that register persistent callbacks (Camera, Contacts, File, Geolocation)

The severity rating of important reflects the fact that exploitation requires an attacker to control content inside the browser view, but this is a low bar given OAuth flows, deep links, and marketing URLs are standard app patterns.

Patch and Remediation

Apache has addressed the vulnerability in cordova-plugin-inappbrowser version 6.0.1 by introducing format validation on the id field extracted from incoming WKScriptMessage bodies, ensuring that only legitimately registered callback IDs owned by the InAppBrowser plugin itself can be dispatched. Development teams should take the following immediate actions:

1. Upgrade immediately to cordova-plugin-inappbrowser@6.0.1 via npm: npm install cordova-plugin-inappbrowser@6.0.1
2. Audit all InAppBrowser URL sources, OAuth redirect URIs, marketing links, and deep-link targets, and enforce HTTPS exclusively
3. Review registered plugin callbacks across your app’s Cordova plugin stack, prioritizing Camera, Contacts, File, and Geolocation
4. Implement a strict Content Security Policy within InAppBrowser-rendered pages to restrict postMessage origins
5. Test your patched build for correct callback routing to verify no residual callback injection surface remains

There is currently no evidence of in-the-wild exploitation, but the predictable callback ID format significantly lowers the technical barrier for threat actors, and proof-of-concept development is likely imminent.

Frequently Asked Questions

Q1: What is CVE-2026-47430? CVE-2026-47430 is an iOS vulnerability in cordova-plugin-inappbrowser (v3.1.0–6.0.0) that allows untrusted web content to dispatch arbitrary Cordova plugin callbacks without validation, enabling remote attackers to spoof plugin results across trust boundaries.

Q2: Which apps are affected by this vulnerability? Any iOS hybrid app built with Apache Cordova that uses cordova-plugin-inappbrowser Versions 3.1.0 through 6.0.0 and opens external URLs (OAuth, deep links, marketing pages) inside an InAppBrowser window are vulnerable.

Q3: How can developers fix CVE-2026-47430? Developers must immediately upgrade to cordova-plugin-inappbrowser version 6.0.1, which adds format validation on WKScriptMessage Callback IDs to block unauthorized cross-plugin dispatching.

Q4: Can attackers exploit this remotely without physical device access? Yes, an unauthenticated remote attacker who can serve or intercept content inside the InAppBrowser window (via OAuth redirects, MITM, or malicious links) can exploit this flaw entirely over the network without any physical access to the device.

About the Author

John

Author

John is an independent cybersecurity researcher covering vulnerabilities, malware campaigns, and emerging threats in the cybersecurity landscape.

Visit Website View All Posts