CVE-2026-11411
Path Traversal in iAI Lab PDF AI App for Android
Publication date: 2026-06-06
Last updated on: 2026-06-06
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| iai_lab | pdf_ai_app | 4.21.0 |
| chatpdf | pro | 4.22.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-11411 is a vulnerability in the chatpdf.pro Android app that allows an attacker to perform a path traversal attack by manipulating the _display_name argument in file-share intents. The app accepts intents with content:// URIs from any other app and uses the attacker-controlled _display_name metadata as the filename without proper sanitization. This enables the attacker to create arbitrary files in the app's private internal and external storage directories by including "../" sequences in the filename.
The attack requires no special permissions and can be executed locally via exported activity-alias entries in the app's manifest. This flaw allows the attacker to control filenames, directory structures, and file contents, potentially compromising the app's persistent state such as databases, preference files, and cached documents.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to create or overwrite files within the app's private storage areas without authorization. This can lead to the compromise of the app's integrity by modifying databases, preference files, or cached documents.
Such unauthorized file creation or modification could disrupt the app's normal operation, potentially causing data corruption or loss, and may be used as a foothold for further attacks on the device or app data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves path traversal via the _display_name argument in file-share intents accepted by the chatpdf.pro Android app. Detection involves monitoring for suspicious intents with content:// URIs that include path traversal sequences such as "../" in the _display_name metadata.
Since the attack is local and exploits exported activity-alias entries, detection can include analyzing app logs or using Android debugging tools to inspect intents sent to chatpdf.pro.
- Use adb logcat to monitor logs for suspicious intent data targeting chatpdf.pro.
- Run the command: adb shell dumpsys activity intents | grep chatpdf.pro to check recent intents.
- Inspect files in /data/data/chatpdf.pro/ and /sdcard/Android/data/chatpdf.pro/ for unexpected or suspicious files created with path traversal patterns.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or disabling the exported activity-alias entries in the chatpdf.pro app manifest to prevent other apps from sending malicious intents.
Additionally, avoid installing or running untrusted apps that could send malicious intents to chatpdf.pro.
Monitor and remove any suspicious files created in the app's private and external storage directories.
Since the vendor has not responded, consider isolating the affected device or app until a patch or update is available.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.