Description
A vulnerability was identified in Groww Stock, Mutual Fund, Gold App up to 20260805 on Android. This affects an unknown part of the component WebView URL Handler. The manipulation leads to improper authorization in handler for custom url scheme. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. It is indicated that the exploitability is difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure.
Published: 2026-06-12
Score: 1 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in Groww Stock, Mutual Fund, and Gold App up to build 20260805 allows an attacker to manipulate the WebView URL handler that processes custom URL schemes. This improper authorization lets the attacker access or trigger app‑specific actions without proper authentication, leading to potential exposure of sensitive financial data or unauthorized transactions. The weakness is classified as CWE‑285 (Improper Authorization) and CWE‑939 (Use of Untrusted Input).

Affected Systems

The issue impacts the Android application for Groww Stock, Mutual Fund, and Gold App and affects any device running a build prior to 20260805. The vulnerability resides in an undocumented portion of the WebView component that handles custom URLs; therefore only the specified product and version range are affected.

Risk and Exploitability

The CVSS score of 1 indicates low inherent severity, and the EPSS score is not available, suggesting low exploitation probability. However, the vulnerability is publicly documented and publicly available exploits exist. Based on the description, it is inferred that an attacker would need direct delivery of a crafted URL to the target device, implying that the attack vector is limited to physical device compromise or an already compromised device rather than remote execution. The attack complexity is high and unlocking the system is difficult, meaning that the likelihood of exploitation in the wild is currently low, and the vulnerability is not listed in CISA’s KEV catalog.

Generated by OpenCVE AI on June 12, 2026 at 15:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Groww app version (v20260805 or later) which contains a patch for the WebView URL handler.
  • If the latest version is unavailable, uninstall the current app and wait for the vendor to release a patched build.
  • As a temporary measure, block the app’s ability to open custom URL schemes via Android settings or a device policy that forbids such navigation.

Generated by OpenCVE AI on June 12, 2026 at 15:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in Groww Stock, Mutual Fund, Gold App up to 20260805 on Android. This affects an unknown part of the component WebView URL Handler. The manipulation leads to improper authorization in handler for custom url scheme. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. It is indicated that the exploitability is difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure.
Title Groww Stock, Mutual Fund, Gold App WebView URL improper authorization in handler for custom url scheme
First Time appeared Groww
Groww stock Mutual Fund Gold App
Weaknesses CWE-285
CWE-939
CPEs cpe:2.3:a:groww:stock_mutual_fund_gold_app:*:*:*:*:*:*:*:*
Vendors & Products Groww
Groww stock Mutual Fund Gold App
References
Metrics cvssV2_0

{'score': 1, 'vector': 'AV:L/AC:H/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 1.8, 'vector': 'CVSS:3.0/AV:P/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 1.8, 'vector': 'CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 1, 'vector': 'CVSS:4.0/AV:P/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Groww Stock Mutual Fund Gold App
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-12T15:19:01.719Z

Reserved: 2026-06-12T07:32:56.280Z

Link: CVE-2026-12065

cve-icon Vulnrichment

Updated: 2026-06-12T15:17:43.346Z

cve-icon NVD

Status : Deferred

Published: 2026-06-12T14:16:30.413

Modified: 2026-06-12T16:16:27.273

Link: CVE-2026-12065

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:00:17Z

Weaknesses
  • CWE-285

    Improper Authorization

  • CWE-939

    Improper Authorization in Handler for Custom URL Scheme