Description
A local privilege escalation vulnerability exists in O+ Connect because it fails to validate the identity of the caller on the pipe interface.
Published: 2026-05-19
Score: 7.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the lack of identity validation on a system pipe used by O+ Connect. An authenticated local attacker may exploit this to send specially crafted commands to the service, gaining privileges higher than the attacker’s original level. This represents a permissions management flaw (CWE‑266). The outcome can be full control over the device, enabling installation of malware or unauthorized changes that compromise confidentiality, integrity, and availability.

Affected Systems

All devices running the OPPO O+ Connect application are potentially impacted. No specific version information is listed, so any installation of O+ Connect may be vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 7.3 indicates high severity. The EPSS score is not available, but the local nature of the exploit means an attacker with physical or local access can elevate privileges without network exposure. The vulnerability is not listed in the CISA KEV catalog, yet the combination of high severity and local escalation potential makes it a significant risk. Rapid mitigation is advised.

Generated by OpenCVE AI on May 19, 2026 at 04:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update O+ Connect to the latest firmware version that includes the pipe interface authentication fix.
  • Ensure that the device’s user accounts enforce strong passwords and that no privileged accounts are left unattended.
  • If a patch is not yet available, disable the pipe interface service or restrict its exposure to trusted local users.

Generated by OpenCVE AI on May 19, 2026 at 04:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 03:30:00 +0000

Type Values Removed Values Added
Description A local privilege escalation vulnerability exists in O+ Connect because it fails to validate the identity of the caller on the pipe interface.
Title O+ Connect Local Privilege Escalation Vulnerability
Weaknesses CWE-266
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: OPPO

Published:

Updated: 2026-05-19T02:47:20.980Z

Reserved: 2026-01-06T06:15:53.763Z

Link: CVE-2026-22069

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-19T04:16:25.963

Modified: 2026-05-19T04:16:25.963

Link: CVE-2026-22069

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T04:30:25Z

Weaknesses