Description
Improper input validation in Samsung Members prior to version 5.6.00.11 allows remote attackers to connect arbitrary URL and launch arbitrary activity with Samsung Members privilege. User interaction is required for triggering this vulnerability.
Published: 2026-02-04
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Activity Execution
Action: Update App
AI Analysis

Impact

Improper input validation in Samsung Members allows a remote attacker to connect an arbitrary URL and launch an arbitrary activity within the app, using the app’s privileges. The vulnerability requires user interaction to trigger, but once triggered it could result in the execution of unintended functionality, potentially exposing sensitive data or allowing further exploitation within the device’s context. Based on the description, it is inferred that this flaw could represent privilege escalation or unauthorized code execution, which could compromise the integrity of the app’s environment.

Affected Systems

The vulnerability affects Samsung Members for all devices running versions prior to 5.6.00.11 on Samsung Mobile. No specific model variants are listed, and the issue is identified only for Samsung Members applications installed before this patch level.

Risk and Exploitability

The CVSS score of 7 indicates a high severity, but the EPSS score of < 1% suggests that exploitation is unlikely under typical conditions. The vulnerability is not yet listed in CISA’s KEV catalog, implying that there is no confirmed widespread exploitation. Attackers would need to trick or convince a user to engage with a specially crafted link or application to trigger the flaw, making the likelihood reliant on social engineering.

Generated by OpenCVE AI on April 18, 2026 at 14:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Samsung Members update (5.6.00.11 or newer) to eliminate the flaw.
  • If an update is not immediately available, restrict the app’s ability to accept external intent links by disabling or removing the relevant intent filters from the app’s manifest on the device.
  • Enable device‑level controls such as application permissions management to prevent Samsung Members from launching external URLs or activities without explicit user consent.

Generated by OpenCVE AI on April 18, 2026 at 14:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Title Samsung Members Improper Input Validation Enabling Arbitrary Activity Launch
Weaknesses CWE-284
CWE-79

Wed, 25 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Samsung members
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:samsung:members:*:*:*:*:*:*:*:*
Vendors & Products Samsung members
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 04 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Samsung
Samsung samsung Members
Vendors & Products Samsung
Samsung samsung Members

Wed, 04 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 06:45:00 +0000

Type Values Removed Values Added
Description Improper input validation in Samsung Members prior to version 5.6.00.11 allows remote attackers to connect arbitrary URL and launch arbitrary activity with Samsung Members privilege. User interaction is required for triggering this vulnerability.
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Samsung Members Samsung Members
cve-icon MITRE

Status: PUBLISHED

Assigner: SamsungMobile

Published:

Updated: 2026-02-04T16:58:05.810Z

Reserved: 2025-12-11T01:33:35.800Z

Link: CVE-2026-20985

cve-icon Vulnrichment

Updated: 2026-02-04T16:58:02.089Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T07:16:00.647

Modified: 2026-02-25T18:51:29.733

Link: CVE-2026-20985

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:15:04Z

Weaknesses