Security Advisory - Published 2026-06-12 - Apache Cordova / iOS

Cordova InAppBrowser CVE-2026-47430: iOS callback boundary check

CVE-2026-47430 affects iOS apps that use cordova-plugin-inappbrowser versions 3.1.0 through 6.0.0. The risk is highest when the app opens OAuth, payment, deep-link, helpdesk, or marketing pages inside InAppBrowser and the host app also has sensitive Cordova plugins installed.

Defensive scope: this checklist is for app owners and approved mobile code reviews. It avoids callback payloads and does not describe how to trigger plugin callbacks in a target app.

Who is affected

  • Package: cordova-plugin-inappbrowser.
  • Affected versions: 3.1.0 through 6.0.0.
  • Fixed version: 6.0.1.
  • Platform focus: iOS implementation of InAppBrowser.

Dependency check

npm ls cordova-plugin-inappbrowser
grep -R "cordova-plugin-inappbrowser" package.json package-lock.json config.xml platforms plugins 2>/dev/null
cordova plugin list | grep inappbrowser

Check the source repo and the actual build workspace. Cordova projects often carry old plugin versions inside plugins/ or generated platform folders after the package file has already changed.

Flows to review

  • OAuth, SSO, payment checkout, account linking, or KYC pages opened in InAppBrowser.
  • Deep links, universal links, QR links, marketing links, and help-center pages that can redirect inside InAppBrowser.
  • Installed Cordova plugins that expose camera, file, contacts, geolocation, device, or payment-related callbacks.
  • Any custom bridge code that assumes InAppBrowser content is less trusted than the main app.

Safe fix path

  1. Upgrade cordova-plugin-inappbrowser to 6.0.1 or newer.
  2. Remove and re-add the plugin and iOS platform if your build still bundles the older generated code.
  3. Rebuild the iOS app and verify OAuth, payment, and deep-link flows in a staging build.
  4. Review whether untrusted pages are allowed to open inside InAppBrowser at all.
  5. Ship the App Store update with a short note that the embedded browser plugin was patched.

When to request repair help

Use Ping7 CVE Repair if your Cordova app uses InAppBrowser for login or payments and you are not sure which plugin version is inside the released iOS build. Send the package files, config.xml, plugin list, and the app flows that open third-party content.

References