Vulnerabilities ›

CVE-2026-35394

High ⚡ Exploit Available

CWE-939 — Weakness Type

                    Published: Apr 6, 2026                      ·  Modified: Apr 13, 2026                      ·  Source: NVD                

CVSS v3

8.3

🔗 NVD Official

📄 Description (English)

Mobile Next is an MCP server for mobile development and automation. Prior to 0.0.50, the mobile_open_url tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, allowing execution of arbitrary Android intents, including USSD codes, phone calls, SMS messages, and content provider access. This vulnerability is fixed in 0.0.50.

🤖 AI Executive Summary

CVE-2026-35394 is a critical intent injection vulnerability in Mobile Next MCP server versions prior to 0.0.50 that allows attackers to execute arbitrary Android intents without scheme validation. This enables unauthorized USSD code execution, phone calls, SMS messages, and content provider access on affected mobile devices. The vulnerability poses significant risk to Saudi organizations using this tool for mobile development and automation, particularly in banking and telecommunications sectors where USSD and SMS are critical channels.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 25, 2026 01:55

🇸🇦 Saudi Arabia Impact Assessment

High impact on Saudi banking sector (SAMA-regulated institutions) where USSD codes are used for financial transactions and customer verification. Telecommunications sector (STC, Mobily, Zain) at critical risk as USSD and SMS are primary channels for mobile money and authentication. Government agencies using mobile development tools for citizen services vulnerable to unauthorized intent execution. Healthcare sector (MOH) at risk if using affected tools for mobile health applications. Financial technology companies and fintech startups heavily dependent on mobile automation face significant operational and security risks.

🏢 Affected Saudi Sectors

Banking and Financial Services Telecommunications Government and Public Administration Healthcare Financial Technology (FinTech) Mobile Application Development E-commerce

🎯 MITRE ATT&CK Techniques

T1204.001 - User Execution: Malicious Link T1559.001 - Inter-Process Communication: Component Object Model T1559.002 - Inter-Process Communication: Dynamic Data Exchange T1204.002 - User Execution: Malicious Image T1566.002 - Phishing: Spearphishing Link T1598.003 - Phishing for Information: Spearphishing Link T1021.005 - Remote Services: VNC

⚖️ Saudi Risk Score (AI)

8.7

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Identify all instances of Mobile Next MCP server in development and production environments

2. Audit all mobile applications and automation scripts using the mobile_open_url tool

3. Implement network segmentation to restrict MCP server access to trusted development networks only

4. Disable the mobile_open_url tool immediately if not critical to operations



Patching Guidance:

1. Upgrade Mobile Next MCP to version 0.0.50 or later immediately

2. Verify patch deployment across all development, testing, and production environments

3. Restart all affected services after patching

4. Test mobile applications thoroughly post-patch to ensure functionality



Compensating Controls (if immediate patching not possible):

1. Implement strict input validation and URL scheme whitelisting at application level

2. Use Android intent filters to restrict allowed schemes (http, https only)

3. Implement Web Application Firewall (WAF) rules to block suspicious intent patterns

4. Monitor and log all URL handling requests for forensic analysis

5. Restrict MCP server access to specific IP ranges and authenticated users only



Detection Rules:

1. Monitor for intent:// scheme usage in application logs

2. Alert on USSD code execution attempts (tel:*#*#)

3. Track unauthorized SMS/phone call intents

4. Monitor content provider access patterns

5. Implement IDS/IPS signatures for Android intent injection patterns

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع حالات خادم Mobile Next MCP في بيئات التطوير والإنتاج

2. تدقيق جميع تطبيقات الهاتف المحمول وسكريبتات الأتمتة التي تستخدم أداة mobile_open_url

3. تنفيذ تقسيم الشبكة لتقييد وصول خادم MCP إلى شبكات التطوير الموثوقة فقط

4. تعطيل أداة mobile_open_url فوراً إذا لم تكن حرجة للعمليات

إرشادات التصحيح:

1. ترقية Mobile Next MCP إلى الإصدار 0.0.50 أو أحدث فوراً

2. التحقق من نشر التصحيح عبر جميع بيئات التطوير والاختبار والإنتاج

3. إعادة تشغيل جميع الخدمات المتأثرة بعد التصحيح

4. اختبار تطبيقات الهاتف المحمول بدقة بعد التصحيح لضمان الوظائف

الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):

1. تنفيذ التحقق الصارم من المدخلات وقائمة بيضاء لمخطط URL على مستوى التطبيق

2. استخدام مرشحات نوايا Android لتقييد المخططات المسموحة (http و https فقط)

3. تنفيذ قواعد جدار الحماية لتطبيقات الويب لحظر أنماط النوايا المريبة

4. مراقبة وتسجيل جميع طلبات معالجة URL للتحليل الجنائي

5. تقييد وصول خادم MCP إلى نطاقات IP محددة والمستخدمين المصرح لهم فقط

قواعد الكشف:

1. مراقبة استخدام مخطط intent:// في سجلات التطبيق

2. تنبيه محاولات تنفيذ أكواد USSD (tel:*#*#)

3. تتبع نوايا SMS/المكالمات الهاتفية غير المصرح بها

4. مراقبة أنماط الوصول إلى موفر المحتوى

5. تنفيذ توقيعات IDS/IPS لأنماط حقن نوايا Android

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.5.1.1 - Information security policies and procedures ECC 2024 A.6.1.1 - Access control and authentication ECC 2024 A.8.1.1 - Cryptography and secure communications ECC 2024 A.12.2.1 - Change management and patch management ECC 2024 A.12.6.1 - Management of technical vulnerabilities

🔵 SAMA CSF

SAMA CSF ID.AM-2 - Software and hardware inventory SAMA CSF PR.AC-1 - Access control and authentication mechanisms SAMA CSF PR.PT-2 - Secure development practices SAMA CSF DE.CM-8 - Vulnerability scanning and management SAMA CSF RS.MI-2 - Incident response and recovery

🟡 ISO 27001:2022

ISO 27001:2022 A.5.1 - Policies for information security ISO 27001:2022 A.6.1 - Organization of information security ISO 27001:2022 A.8.1 - Asset management ISO 27001:2022 A.12.6 - Management of technical vulnerabilities ISO 27001:2022 A.14.2 - Secure development, test and acceptance

🟣 PCI DSS v4.0.1

PCI DSS 6.2 - Security patches and updates PCI DSS 6.5.1 - Injection flaws prevention PCI DSS 11.2 - Vulnerability scanning PCI DSS 12.2 - Configuration standards

🔗 References & Sources 2

🔗

https://github.com/mobile-next/mobile-mcp/security/advisories/GHSA-5qhv-x9j4-c3vm

security-advisories@github.com

Exploit Mitigation Patch Vendor Advisory

🔗

https://github.com/mobile-next/mobile-mcp/security/advisories/GHSA-5qhv-x9j4-c3vm

134c704f-9b21-4f2e-91b3-4a467353bcc0

Exploit Mitigation Patch Vendor Advisory

📦 Affected Products / CPE 1 entries

mobilenexthq:mobile_mcp

📊 CVSS Score

8.3

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionR — Required

ScopeU — Unchanged

ConfidentialityL — Low / Local

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score8.3

CWECWE-939

EPSS0.05%

Exploit ✓ Yes

Patch ✓ Yes

Published 2026-04-06

Source Feed nvd

🇸🇦 Saudi Risk Score

8.7

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

exploit-available patch-available CWE-939

🏢 Vendor Advisories

🔗 https://github.com/mobile-next/mobile-mcp/security/a... 🔗 https://github.com/mobile-next/mobile-mcp/security/a...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-35394

💬 Comments

Introduce Yourself

Sign In Required