CVE-2026-12065
Deferred Deferred - Pending Action

Improper Authorization in Groww Stock App WebView URL Handler

Vulnerability report for CVE-2026-12065, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: VulDB

Description

A vulnerability was identified in Groww Stock, Mutual Fund, Gold App up to 20260805 on Android. This affects an unknown part of the component WebView URL Handler. The manipulation leads to improper authorization in handler for custom url scheme. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. It is indicated that the exploitability is difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-07-02
AI Q&A
2026-06-12
EPSS Evaluated
2026-07-01
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
groww stock_mutual_fund_gold_app to 20260805 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-939 The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in the Groww Stock, Mutual Fund, Gold App on Android, specifically in the WebView URL Handler component. It allows improper authorization when handling custom URL schemes, which means that an attacker could manipulate the app to load arbitrary URLs or execute unauthorized actions within the WebView.

Exploitation requires physical access to the device and is considered complex and difficult. The vulnerability can be triggered on a physical device, and the exploit code is publicly available.

Additionally, security testing revealed that the app's internal WebView could load arbitrary external URLs when accessed via privileged debugging environments, allowing JavaScript execution and communication with external servers. There is also a weakness in client-side app lock enforcement, where passcodes are not re-validated after activity transitions, potentially allowing unauthorized navigation within the app.

Impact Analysis

This vulnerability could allow an attacker with physical access or debugging privileges to manipulate the app's WebView to load malicious URLs, execute JavaScript, and communicate with external servers. This could lead to phishing or UI redressing attacks.

However, no direct server-side authentication bypass or account compromise has been observed. The impact is limited by the requirement for physical device access or privileged debugging, making exploitation difficult.

The weak client-side app lock enforcement could allow unauthorized users to navigate into sensitive parts of the app without re-entering the passcode, increasing the risk of unauthorized access to app features.

Detection Guidance

This vulnerability involves unsafe WebView URL handling and weak client-side app lock enforcement in the Groww Android application, which can be exploited only with physical device access or privileged debugging (ADB). Detection would focus on monitoring WebView activities and app lock enforcement behavior.

To detect this vulnerability on your system, you can check if the Groww app's WebView component loads arbitrary external URLs, especially when debugging is enabled. Also, verify if the app lock re-validates passcodes after activity transitions.

  • Use ADB commands to monitor WebView URL loading, for example: adb shell dumpsys activity activities | grep WebView
  • Check for debugging enabled on the device: adb shell getprop ro.debuggable
  • Attempt to navigate within the app after unlocking once to see if passcode re-validation is enforced.
Mitigation Strategies

Immediate mitigation steps include restricting the WebView URL loading to trusted domains only and enforcing stricter passcode validation within the app.

Additionally, disable debugging (ADB) on physical devices to prevent exploitation via privileged debugging environments.

Ensure that the client-side app lock re-validates passcodes after activity transitions to prevent unauthorized navigation.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12065. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart