Android Intent Vulnerability in Mobile Next MCP Server
CVE-2026-35394

8.3HIGH

Key Information:

Vendor: Mobile-next
Status: Mobile-mcp
Vendor: CVE Published:; 6 April 2026

🔔 Create Mobile-next Vulnerability Alert

What is CVE-2026-35394?

The Mobile Next MCP server's mobile_open_url tool is susceptible to an improper input validation vulnerability. This issue arises from the tool passing user-supplied URLs directly to Android's intent system without verifying the URL's scheme. As a result, this oversight can allow attackers to execute arbitrary Android intents, which may include launching USSD codes, making phone calls, sending SMS messages, and accessing content providers without proper authorization. The application has been updated to address this flaw in version 0.0.50.

Affected Version(s)

mobile-mcp < 0.0.50

References

https://github.com/mobile-next/mobile-mcp/security/adviso...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Apr 2, 2026

CVE-2026-35394 Data

JSON