CVE-2026-12065
Deferred Deferred - Pending Action
Improper Authorization in Groww Stock App WebView URL Handler

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: VulDB

Description
A vulnerability was identified in Groww Stock, Mutual Fund, Gold App up to 20260805 on Android. This affects an unknown part of the component WebView URL Handler. The manipulation leads to improper authorization in handler for custom url scheme. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. It is indicated that the exploitability is difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-12065
EUVD
EUVD-2026-36417
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-939 The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the Groww Stock, Mutual Fund, Gold App on Android, specifically in the WebView URL Handler component. It allows improper authorization when handling custom URL schemes, which means that an attacker could manipulate the app to load arbitrary URLs or execute unauthorized actions within the WebView.

Exploitation requires physical access to the device and is considered complex and difficult. The vulnerability can be triggered on a physical device, and the exploit code is publicly available.

Additionally, security testing revealed that the app's internal WebView could load arbitrary external URLs when accessed via privileged debugging environments, allowing JavaScript execution and communication with external servers. There is also a weakness in client-side app lock enforcement, where passcodes are not re-validated after activity transitions, potentially allowing unauthorized navigation within the app.

Impact Analysis

This vulnerability could allow an attacker with physical access or debugging privileges to manipulate the app's WebView to load malicious URLs, execute JavaScript, and communicate with external servers. This could lead to phishing or UI redressing attacks.

However, no direct server-side authentication bypass or account compromise has been observed. The impact is limited by the requirement for physical device access or privileged debugging, making exploitation difficult.

The weak client-side app lock enforcement could allow unauthorized users to navigate into sensitive parts of the app without re-entering the passcode, increasing the risk of unauthorized access to app features.

Detection Guidance

This vulnerability involves unsafe WebView URL handling and weak client-side app lock enforcement in the Groww Android application, which can be exploited only with physical device access or privileged debugging (ADB). Detection would focus on monitoring WebView activities and app lock enforcement behavior.

To detect this vulnerability on your system, you can check if the Groww app's WebView component loads arbitrary external URLs, especially when debugging is enabled. Also, verify if the app lock re-validates passcodes after activity transitions.

  • Use ADB commands to monitor WebView URL loading, for example: adb shell dumpsys activity activities | grep WebView
  • Check for debugging enabled on the device: adb shell getprop ro.debuggable
  • Attempt to navigate within the app after unlocking once to see if passcode re-validation is enforced.
Mitigation Strategies

Immediate mitigation steps include restricting the WebView URL loading to trusted domains only and enforcing stricter passcode validation within the app.

Additionally, disable debugging (ADB) on physical devices to prevent exploitation via privileged debugging environments.

Ensure that the client-side app lock re-validates passcodes after activity transitions to prevent unauthorized navigation.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12065. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart