Description
Improper input validation in Samsung Members prior to version 5.8.01.5 allows local attackers to access arbitrary URL and launch arbitrary activity with Samsung Members privilege.
Published: 2026-06-05
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is caused by insufficient validation of user-supplied URLs. A malicious payload can be supplied from within the device, causing the application to open a URL scheme that launches any desired activity under Samsung Members’ privileges. The attack remains confined to the application’s trust boundary and does not elevate privileges beyond those granted to Samsung Members.

Affected Systems

Samsung Mobile’s Samsung Members application, all versions prior to 5.8.01.5. The issue is local, affecting only devices that already have the vulnerable app installed.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. EPSS data is unavailable, and the vulnerability is not listed in CISA’s KEV catalog, suggesting limited known exploitation. The likely attack vector is local, requiring the attacker to have physical or local remote access to the device; no external network-based attack is noted in the description.

Generated by OpenCVE AI on June 5, 2026 at 12:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Samsung Members to version 5.8.01.5 or later, which contains input validation fixes
  • If an immediate update is not possible, consider uninstalling or disabling Samsung Members to eliminate the local threat surface
  • Monitor device logs for unexpected activity launches and apply any additional device monitoring or permissions restrictions recommended by Samsung

Generated by OpenCVE AI on June 5, 2026 at 12:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 07 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Samsung Mobile
Samsung Mobile samsung Members
Vendors & Products Samsung Mobile
Samsung Mobile samsung Members

Fri, 05 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Title Improper URL Validation Enables Local Attacker to Launch Arbitrary Activities in Samsung Members
Weaknesses CWE-20

Fri, 05 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
Description Improper input validation in Samsung Members prior to version 5.8.01.5 allows local attackers to access arbitrary URL and launch arbitrary activity with Samsung Members privilege.
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Samsung Mobile Samsung Members
cve-icon MITRE

Status: PUBLISHED

Assigner: SamsungMobile

Published:

Updated: 2026-06-05T19:09:05.745Z

Reserved: 2025-12-11T01:33:35.806Z

Link: CVE-2026-21037

cve-icon Vulnrichment

Updated: 2026-06-05T19:08:58.815Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-05T11:16:36.440

Modified: 2026-06-05T14:59:51.620

Link: CVE-2026-21037

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T11:17:17Z

Weaknesses
  • CWE-20

    Improper Input Validation