{
  "schema_version": "1.4.0",
  "id": "GHSA-5qhv-x9j4-c3vm",
  "modified": "2026-04-04T05:37:10Z",
  "published": "2026-04-04T05:37:10Z",
  "aliases": [
    "CVE-2026-35394"
  ],
  "summary": "@mobilenext/mobile-mcp: Arbitrary Android Intent Execution via mobile_open_url",
  "details": "### Summary\n\nThe `mobile_open_url` tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, allowing execution of arbitrary Android intents, including USSD codes, phone calls, SMS messages, and content provider access.\n\n### Details\n\nThe vulnerable code passes URLs directly to `adb shell am start -a android.intent.action.VIEW -d <url>` without checking the URL scheme. This can enable malicious schemes such as `tel:`, `sms:`, `mailto:`, `content://`, and `market://` to be executed.\n\nSince MCP servers are designed to be operated by AI agents, which are vulnerable to prompt injection attacks, a malicious document or website could inject instructions that cause the AI to execute dangerous intents on a connected mobile device.\n\n### Impact\n\nAn attacker via prompt injection can:\n- Execute USSD codes (e.g., `tel:*#06#` to display IMEI - confirmed on Pixel 7a, behavior varies by device; or device-specific factory reset codes)\n- Initiate phone calls to premium rate numbers\n- Draft SMS messages with attacker-controlled content\n- Access content providers (contacts, SMS, call logs)\n- Open app installation prompts\n\n### Proof of Concept\n```json\n{\"jsonrpc\":\"2.0\",\"id\":1,\"method\":\"tools/call\",\"params\":{\"name\":\"mobile_open_url\",\"arguments\":{\"device\":\"<id>\",\"url\":\"tel:*#06#\"}}}\n```\n\nResult: IMEI displayed on device.\n```json\n{\"jsonrpc\":\"2.0\",\"id\":1,\"method\":\"tools/call\",\"params\":{\"name\":\"mobile_open_url\",\"arguments\":{\"device\":\"<id>\",\"url\":\"sms:1234567890?body=HACKED\"}}}\n```\n\nResult: SMS app opens with a pre-filled message.\n\n### Remediation\n\nUpgrade to version 0.0.50 or later, which restricts `mobile_open_url` to `http://` and `https://` schemes by default. Users who require other URL schemes can opt in by setting `MOBILEMCP_ALLOW_UNSAFE_URLS=1`.",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@mobilenext/mobile-mcp"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.50"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mobile-next/mobile-mcp/security/advisories/GHSA-5qhv-x9j4-c3vm"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mobile-next/mobile-mcp/pull/299"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mobile-next/mobile-mcp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mobile-next/mobile-mcp/releases/tag/0.0.50"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-939"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-04T05:37:10Z",
    "nvd_published_at": null
  }
}