CVE-2026-12189
Deferred Deferred - Pending Action

Improper Authorization in Moovit Bus & Public Transit App

Vulnerability report for CVE-2026-12189, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-14

Last updated on: 2026-06-15

Assigner: VulDB

Description

A flaw has been found in Moovit Bus & Public Transit App 1.18 on Android. This affects an unknown part of the component com.tranzmate. Executing a manipulation can lead to improper authorization in handler for custom url scheme. The attack can only be executed locally. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-14
Last Modified
2026-06-15
Generated
2026-07-05
AI Q&A
2026-06-15
EPSS Evaluated
2026-07-03
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
moovit bus_and_public_transit_app 1.18

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-939 The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a flaw found in the Moovit Bus & Public Transit App version 1.18 on Android. It affects an unknown part of the component com.tranzmate. The issue arises from improper authorization handling in the handler for a custom URL scheme. This means that an attacker could manipulate the app locally to bypass authorization checks.

The attack can only be executed locally, and the exploit has already been published and may be used by attackers. The vendor was contacted early about this issue but did not respond.

Impact Analysis

The vulnerability can lead to improper authorization, which means an attacker with local access to the device could potentially perform actions or access data that should be restricted. This could result in limited confidentiality, integrity, and availability impacts on the app's data or functionality.

According to the CVSS v3.1 score of 5.3, the impact is moderate, affecting confidentiality, integrity, and availability to a limited extent.

Compliance Impact

The vulnerability in the Moovit Android application allows attacker-controlled web content to be rendered within the app's trusted interface, enabling phishing attacks, UI spoofing, and user deception.

Such exploitation could lead to credential theft and erosion of user trust, which may impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding user data and preventing unauthorized access.

However, the provided information does not explicitly state the direct impact on compliance with these standards or any regulatory consequences.

Detection Guidance

This vulnerability involves the Moovit Android app's exported and browsable WebView activity (com.moovit.web.WebViewActivity) improperly handling externally supplied URLs via crafted intents or malicious deep links.

To detect this vulnerability on your system, you can check if the Moovit app has the vulnerable exported WebView activity enabled and if it accepts external intents with URLs without proper validation.

Suggested commands include using Android Debug Bridge (adb) to inspect the app's exported activities and intent filters:

  • adb shell dumpsys package moovit | grep -A 10 'com.moovit.web.WebViewActivity'
  • adb shell pm dump moovit | grep -i 'intent-filter'

Additionally, you can attempt to send crafted intents to the activity to see if it processes arbitrary URLs without restrictions:

  • adb shell am start -a android.intent.action.VIEW -d 'malicious_url_scheme://example.com' com.moovit/.web.WebViewActivity

Monitoring app behavior for unexpected WebView loads or suspicious URL handling can also help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include disabling or restricting the exported WebView activity (com.moovit.web.WebViewActivity) if possible.

Implement strict domain allowlisting and URL validation to ensure only trusted URLs are processed by the WebView.

Restrict or disable handling of dangerous or custom URL schemes that could be exploited.

If you are an end user, avoid installing or running untrusted apps that could send malicious intents to the Moovit app.

Consider opening untrusted content in external browsers rather than within the app's WebView.

Since the vendor has not responded, monitor for updates or patches and apply them as soon as they become available.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12189. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart