Security Advisory - Published 2026-06-12 - Apache Cordova / iOS
Cordova InAppBrowser CVE-2026-47430: iOS callback boundary check
CVE-2026-47430 affects iOS apps that use cordova-plugin-inappbrowser
versions 3.1.0 through 6.0.0. The risk is highest when the app opens OAuth, payment,
deep-link, helpdesk, or marketing pages inside InAppBrowser and the host app also has
sensitive Cordova plugins installed.
Who is affected
- Package:
cordova-plugin-inappbrowser. - Affected versions: 3.1.0 through 6.0.0.
- Fixed version: 6.0.1.
- Platform focus: iOS implementation of InAppBrowser.
Dependency check
npm ls cordova-plugin-inappbrowser
grep -R "cordova-plugin-inappbrowser" package.json package-lock.json config.xml platforms plugins 2>/dev/null
cordova plugin list | grep inappbrowser
Check the source repo and the actual build workspace. Cordova projects often carry old
plugin versions inside plugins/ or generated platform folders after the
package file has already changed.
Flows to review
- OAuth, SSO, payment checkout, account linking, or KYC pages opened in InAppBrowser.
- Deep links, universal links, QR links, marketing links, and help-center pages that can redirect inside InAppBrowser.
- Installed Cordova plugins that expose camera, file, contacts, geolocation, device, or payment-related callbacks.
- Any custom bridge code that assumes InAppBrowser content is less trusted than the main app.
Safe fix path
- Upgrade
cordova-plugin-inappbrowserto 6.0.1 or newer. - Remove and re-add the plugin and iOS platform if your build still bundles the older generated code.
- Rebuild the iOS app and verify OAuth, payment, and deep-link flows in a staging build.
- Review whether untrusted pages are allowed to open inside InAppBrowser at all.
- Ship the App Store update with a short note that the embedded browser plugin was patched.
When to request repair help
Use Ping7 CVE Repair if your Cordova app uses InAppBrowser
for login or payments and you are not sure which plugin version is inside the released
iOS build. Send the package files, config.xml, plugin list, and the app
flows that open third-party content.