CVE-2026-35394: @mobilenext MCP Intent Execution Vulnerability
Platform
android
Component
mobile-next/mobile-mcp
Fixed in
0.0.50
CVE-2026-35394 describes a critical vulnerability in the `@mobilenext/mobile-mcp` component where user-supplied URLs are passed directly to Android's intent system without scheme validation. This lack of validation allows attackers to execute arbitrary Android intents, potentially leading to unauthorized actions like making phone calls, sending SMS messages, or accessing content providers. The vulnerability affects versions prior to 0.0.50 and a patch is available in version 0.0.50.
How to fix
Actualice a la versión 0.0.50 o superior para mitigar la vulnerabilidad. Esta versión implementa la validación del esquema de URL para prevenir la ejecución de intents arbitrarios.
Frequently asked questions
What is CVE-2026-35394?
CVE-2026-35394 is a security vulnerability in the `@mobilenext/mobile-mcp` component that allows attackers to execute arbitrary Android intents by injecting malicious URLs without proper validation. This can lead to unauthorized actions on the target Android device.
Am I affected by CVE-2026-35394?
You are affected if you are using `@mobilenext/mobile-mcp` versions prior to 0.0.50. If you are using a version 0.0.50 or later, you are not vulnerable to this specific issue.
How can I fix CVE-2026-35394?
The vulnerability is fixed in version 0.0.50 of `@mobilenext/mobile-mcp`. Upgrade to this version or later to mitigate the risk.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free