CVE-2026-35394
Received Received - Intake
Intent Injection Vulnerability in Mobile Next's mobile_open_url Tool

Publication date: 2026-04-06

Last updated on: 2026-04-09

Assigner: GitHub, Inc.

Description
Mobile Next is an MCP server for mobile development and automation. Prior to 0.0.50, the mobile_open_url tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, allowing execution of arbitrary Android intents, including USSD codes, phone calls, SMS messages, and content provider access. This vulnerability is fixed in 0.0.50.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-09
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-14
NVD
CVE-2026-35394
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mobilenexthq mobile_mcp to 0.0.50 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-939 The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows execution of arbitrary Android intents that can access sensitive user data such as contacts, SMS, and call logs, and can initiate phone calls or send SMS messages without user consent.

Such unauthorized access and actions could lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive information to ensure confidentiality, integrity, and availability.

By enabling attackers to access or manipulate personal data and device functions without proper authorization, this vulnerability undermines compliance with these standards that mandate safeguarding user data and preventing unauthorized disclosures or modifications.

Detection Guidance

This vulnerability can be detected by checking if the mobile_open_url tool in the @mobilenext/mobile-mcp package is passing user-supplied URLs directly to the Android intent system without scheme validation.

One way to test for the vulnerability is to attempt to execute Android intents using adb commands with potentially dangerous URL schemes such as tel:, sms:, mailto:, content://, or market://.

For example, you can run the following adb shell command to see if the device executes the intent without validation:

  • adb shell am start -a android.intent.action.VIEW -d "tel:*#06#"

If this command causes the device to display the IMEI or perform other actions, it indicates the vulnerability is present.

Similarly, testing with other schemes like sms: or content:// can reveal if arbitrary intents can be triggered.

To remediate, upgrade the package to version 0.0.50 or later, which restricts URL schemes by default.

Executive Summary

The vulnerability exists in Mobile Next's mobile_open_url tool prior to version 0.0.50. This tool passes user-supplied URLs directly to Android's intent system without validating the URL scheme. Because of this lack of validation, an attacker can execute arbitrary Android intents, which may include triggering USSD codes, making phone calls, sending SMS messages, or accessing content providers.

Impact Analysis

This vulnerability can have serious impacts including unauthorized execution of Android intents. An attacker could exploit it to initiate phone calls, send SMS messages, execute USSD codes that might affect device settings or incur charges, and access sensitive content providers. These actions could lead to data leakage, financial loss, or unauthorized control over device functions.

Mitigation Strategies

To mitigate this vulnerability, upgrade Mobile Next MCP server to version 0.0.50 or later, where the issue with the mobile_open_url tool passing user-supplied URLs without scheme validation has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35394. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart