CVE-2026-35394

Mobile Next has Arbitrary Android Intent Execution via mobile_open_url

Description

Mobile Next is an MCP server for mobile development and automation. Prior to 0.0.50, the mobile_open_url tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, allowing execution of arbitrary Android intents, including USSD codes, phone calls, SMS messages, and content provider access. This vulnerability is fixed in 0.0.50.

INFO

Published Date :

2026-04-06T20:52:25.170Z

Last Modified :

2026-04-06T20:52:25.170Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-35394 vulnerability.

Vendors	Products
Mobile-next	Mobile-mcp

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-35394.

URL	Resource
https://github.com/mobile-next/mobile-mcp/security/advisories/GHSA-5qhv-x9j4-c3vm

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact