CVE-2026-35394
Intent Injection Vulnerability in Mobile Next's mobile_open_url Tool
Publication date: 2026-04-06
Last updated on: 2026-04-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mobilenexthq | mobile_mcp | to 0.0.50 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-939 | The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in Mobile Next's mobile_open_url tool prior to version 0.0.50. This tool passes user-supplied URLs directly to Android's intent system without validating the URL scheme. Because of this lack of validation, an attacker can execute arbitrary Android intents, which may include triggering USSD codes, making phone calls, sending SMS messages, or accessing content providers.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized execution of Android intents. An attacker could exploit it to initiate phone calls, send SMS messages, execute USSD codes that might affect device settings or incur charges, and access sensitive content providers. These actions could lead to data leakage, financial loss, or unauthorized control over device functions.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Mobile Next MCP server to version 0.0.50 or later, where the issue with the mobile_open_url tool passing user-supplied URLs without scheme validation has been fixed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows execution of arbitrary Android intents that can access sensitive user data such as contacts, SMS, and call logs, and can initiate phone calls or send SMS messages without user consent.
Such unauthorized access and actions could lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive information to ensure confidentiality, integrity, and availability.
By enabling attackers to access or manipulate personal data and device functions without proper authorization, this vulnerability undermines compliance with these standards that mandate safeguarding user data and preventing unauthorized disclosures or modifications.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the mobile_open_url tool in the @mobilenext/mobile-mcp package is passing user-supplied URLs directly to the Android intent system without scheme validation.
One way to test for the vulnerability is to attempt to execute Android intents using adb commands with potentially dangerous URL schemes such as tel:, sms:, mailto:, content://, or market://.
For example, you can run the following adb shell command to see if the device executes the intent without validation:
- adb shell am start -a android.intent.action.VIEW -d "tel:*#06#"
If this command causes the device to display the IMEI or perform other actions, it indicates the vulnerability is present.
Similarly, testing with other schemes like sms: or content:// can reveal if arbitrary intents can be triggered.
To remediate, upgrade the package to version 0.0.50 or later, which restricts URL schemes by default.