SQL Injection Vulnerability in Contacts Provider by Android
CVE-2026-28576

10CRITICAL

Key Information:

Vendor: Android
Status: Android
Vendor: CVE Published:; 17 June 2026

What is CVE-2026-28576?

In the Contacts Provider, a vulnerability exists that allows unauthorized access to the contacts database through an SQL injection attack. Attackers can exploit this flaw without needing any user interaction or elevated privileges, potentially leading to the disclosure of sensitive information stored in the database.

Affected Version(s)

Android 17

References

https://source.android.com/docs/security/bulletin/android-17

vendor-advisory

CVSS V4

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2026
Vulnerability Reserved
Mar 2, 2026

CVE-2026-28576 Data

JSON