{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35394", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T17:03:42.074Z", "datePublished": "2026-04-06T20:52:25.170Z", "dateUpdated": "2026-04-07T15:09:43.022Z"}, "containers": {"cna": {"title": "Mobile Next has Arbitrary Android Intent Execution via mobile_open_url", "problemTypes": [{"descriptions": [{"cweId": "CWE-939", "lang": "en", "description": "CWE-939: Improper Authorization in Handler for Custom URL Scheme", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/mobile-next/mobile-mcp/security/advisories/GHSA-5qhv-x9j4-c3vm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mobile-next/mobile-mcp/security/advisories/GHSA-5qhv-x9j4-c3vm"}], "affected": [{"vendor": "mobile-next", "product": "mobile-mcp", "versions": [{"version": "< 0.0.50", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T20:52:25.170Z"}, "descriptions": [{"lang": "en", "value": "Mobile Next is an MCP server for mobile development and automation. Prior to 0.0.50, the mobile_open_url tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, allowing execution of arbitrary Android intents, including USSD codes, phone calls, SMS messages, and content provider access. This vulnerability is fixed in 0.0.50."}], "source": {"advisory": "GHSA-5qhv-x9j4-c3vm", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/mobile-next/mobile-mcp/security/advisories/GHSA-5qhv-x9j4-c3vm", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T14:52:14.299357Z", "id": "CVE-2026-35394", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T15:09:43.022Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35394", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T14:52:14.299357Z"}}}], "references": [{"url": "https://github.com/mobile-next/mobile-mcp/security/advisories/GHSA-5qhv-x9j4-c3vm", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T14:52:22.650Z"}}], "cna": {"title": "Mobile Next has Arbitrary Android Intent Execution via mobile_open_url", "source": {"advisory": "GHSA-5qhv-x9j4-c3vm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "mobile-next", "product": "mobile-mcp", "versions": [{"status": "affected", "version": "< 0.0.50"}]}], "references": [{"url": "https://github.com/mobile-next/mobile-mcp/security/advisories/GHSA-5qhv-x9j4-c3vm", "name": "https://github.com/mobile-next/mobile-mcp/security/advisories/GHSA-5qhv-x9j4-c3vm", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Mobile Next is an MCP server for mobile development and automation. Prior to 0.0.50, the mobile_open_url tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, allowing execution of arbitrary Android intents, including USSD codes, phone calls, SMS messages, and content provider access. This vulnerability is fixed in 0.0.50."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-939", "description": "CWE-939: Improper Authorization in Handler for Custom URL Scheme"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T20:52:25.170Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35394", "state": "PUBLISHED", "dateUpdated": "2026-04-07T15:09:43.022Z", "dateReserved": "2026-04-02T17:03:42.074Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T20:52:25.170Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mobilenexthq:mobile_mcp:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "7C25CC83-A709-4193-8CBF-063A67E51430", "versionEndExcluding": "0.0.50", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mobile Next is an MCP server for mobile development and automation. Prior to 0.0.50, the mobile_open_url tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, allowing execution of arbitrary Android intents, including USSD codes, phone calls, SMS messages, and content provider access. This vulnerability is fixed in 0.0.50."}], "id": "CVE-2026-35394", "lastModified": "2026-04-09T17:49:05.567", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-06T21:16:21.300", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Patch", "Vendor Advisory"], "url": "https://github.com/mobile-next/mobile-mcp/security/advisories/GHSA-5qhv-x9j4-c3vm"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Patch", "Vendor Advisory"], "url": "https://github.com/mobile-next/mobile-mcp/security/advisories/GHSA-5qhv-x9j4-c3vm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-939"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.0.50)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "mobile-mcp", "source": "cna", "vendor": "mobile-next"}, "product": "mobile-mcp", "vendor": "mobile-next"}], "analysis": {"en": {"generated_at": "2026-04-09T19:35:55.084193+00:00", "value": {"mitigation_remediation": ["Apply an update to mobile-mcp version 0.0.50 or later", "Verify that installed mobile-mcp version is >= 0.0.50", "If an immediate update is not possible, block external access to the mobile_open_url interface or implement strict URL scheme validation before processing"], "summary": {"action": "Immediate Patch", "impact": "Arbitrary Intent Execution"}, "threat_synthesis": {"affected_systems": "The flaw affects the mobile-mcp component of the Mobile Next suite released by the mobile-next vendor. Any installation of mobile-mcp prior to version 0.0.50 is vulnerable. The affected environment is typically a Node.js-based server that interacts with Android devices via the mobile_open_url interface. Exact system configurations are not detailed, but all users running the vulnerable version of mobile-mcp in a mobile development or automation context are at risk.", "description_and_impact": "The vulnerability occurs when the mobile_open_url tool in the mobile-mcp server passes user-supplied URLs directly to Android's intent system without validating the URL scheme. This flaw allows an attacker to trigger any Android intent, including actions that can place phone calls, send SMS messages, execute USSD codes, or access content providers. The weakness is categorized under CWE-939, indicating improper handling of user input in a dynamic context. Consequently an attacker could abuse this behavior to initiate privileged actions or exfiltrate data from the device, threatening confidentiality, integrity, and potentially availability if the intent triggers disruptive operations.", "risk_and_exploitability": "The CVSS score of 8.3 indicates high severity, while the EPSS score of less than 1% suggests that exploitation is currently unlikely but the flaw remains serious. It is not listed in the CISA KEV catalog. The likely attack vector is remote, through any channel that allows an attacker to supply a crafted URL to the mobile_open_url endpoint, such as a web request or automated device command. Exploitation requires no special privileges on the server but does rely on the attacker\u2019s ability to inject malicious input into the target\u2019s environment."}}}}, "created": "2026-04-07T06:54:07.657822+00:00", "updated": "2026-04-10T09:45:01.883968+00:00", "vendors": ["mobile-next", "mobile-next$PRODUCT$mobile-mcp"]}