CVE-2026-57848
Received Received - Intake

Stoat for Android Intent URI File Exposure

Vulnerability report for CVE-2026-57848, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-18

Last updated on: 2026-07-18

Assigner: VulnCheck

Description

Stoat for Android exports the chat.stoat.activities.ShareTargetActivity component (reachable to any process on the device via the android.intent.action.SEND intent) and accepts the file to share as a URI supplied through the android.intent.extra.STREAM extra. The activity does not validate or filter the incoming URI before using it as the outgoing attachment, so a caller can pass a file:// URI pointing at the application's own internal storage (for example /data/data/chat.revolt/databases/revolt.db, cached authentication token files, or preferences) and have the app treat that internal file as a user-selected attachment. An attacker who can invoke intents on the victim's device (via ADB access, a co-installed malicious application, or any other route that reaches Android's intent dispatch) can launch ShareTargetActivity with such a URI and cause the victim, on a single channel-selection interaction, to send the internal file to any Stoat channel or user of the attacker's choosing. The composer displays the attachment as \"attachment\" with no filename indication, so the victim has no visible signal that the file being sent is their own internal application data. Consequences include disclosure of the local Stoat database (message history, contact list, cached content), disclosure of authentication tokens permitting full account takeover, and disclosure of any other file readable by the app process.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-18
Last Modified
2026-07-18
Generated
2026-07-19
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
stoatchat stoat to 1.6.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-926 The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Stoat for Android allows an attacker to access internal app files by exploiting an exported component called ShareTargetActivity. The app accepts file URIs without validation, so an attacker can send a URI pointing to sensitive files like the local database or authentication tokens. The app then sends these files to any channel or user chosen by the attacker without the victim's knowledge.

Detection Guidance

This vulnerability is specific to the Stoat for Android application and requires checking for improper URI handling in the ShareTargetActivity component. Review the app's intent filters and file access permissions. Check if the app version is below 1.6.0, as versions prior to this are affected. Use static analysis tools to inspect the ShareTargetActivity.kt file for missing URI validation.

Impact Analysis

If exploited, this vulnerability could lead to the disclosure of your private message history, contact lists, cached content, authentication tokens, and other sensitive files stored by the app. An attacker could gain full control of your Stoat account or access other confidential data accessible by the app.

Compliance Impact

This vulnerability could lead to non-compliance with GDPR and HIPAA due to unauthorized disclosure of personal and sensitive data. GDPR requires protection of personal data, while HIPAA mandates safeguarding protected health information. A breach could result in legal penalties and reputational damage.

Mitigation Strategies

Update the Stoat for Android application to version 1.6.0 or later, which includes the fix for CVE-2026-57848. If updating is not possible, restrict access to the ShareTargetActivity component by removing or modifying its intent filters. Avoid installing untrusted applications that could exploit this vulnerability via intent dispatch.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57848. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart