CVE-2026-0016
Credential Manager Service Permission Bypass in Android
Publication date: 2026-06-01
Last updated on: 2026-06-02
Assigner: Android (associated with Google Inc. or Open Handset Alliance)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| android | credentialmanager | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the updateProvidersWhenServiceRemoved function of CredentialManagerService.java. It allows an attacker to bypass permissions and override settings across different users on the device.
Exploitation does not require any additional execution privileges or user interaction.
How can this vulnerability impact me? :
The vulnerability could lead to local information disclosure, meaning sensitive information stored locally on the device could be exposed to unauthorized users.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows a permissions bypass that could lead to local information disclosure without requiring additional execution privileges or user interaction.
Such local information disclosure could potentially impact compliance with data protection regulations like GDPR and HIPAA, which mandate the protection of sensitive user information.
However, specific effects on compliance or regulatory impact are not detailed in the provided information.