Description
OPPO Wallet APP contains a trusted domain validation flaw that allows attackers to bypass protected interface access restrictions, which may lead to account token hijacking and sensitive information disclosure.
Published: 2026-04-27
Score: 5.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Disclosure of Account Tokens
Action: Monitor
AI Analysis

Impact

OPPO Wallet APP contains a trusted domain validation flaw that permits attackers to bypass protections on certain interfaces, which can enable the hijacking of account tokens and the disclosure of sensitive data. The vulnerability stems from inadequate verification of the domain that the request originates from, causing the application to incorrectly trust malicious traffic and expose privileged resources. At its core, the weakness allows a malicious actor to obtain credentials that are normally restricted to authenticated or trusted origins, thereby breaching confidentiality for affected users.

Affected Systems

The flaw affects the OPPO Wallet APP as distributed by OPPO. No specific version information is supplied, so all releases of the wallet that rely on the same domain validation logic are susceptible until an update is issued.

Risk and Exploitability

With a CVSS score of 5.6, the vulnerability is considered moderate in impact; however, the EPSS score of less than 1% indicates that exploit attempts are expected to be rare at present. The vulnerability is not listed in the CISA KEV catalog. An attacker would likely need to craft traffic that mimics a trusted domain or otherwise subvert the validation mechanism, which suggests a network‑based attack vector requiring the ability to send requests to the wallet service. The condition for exploitation is not obviously complicated, but because the flaw bypasses domain checks, it could be leveraged if an attacker can control the source of the request or the environment in which the wallet validates domains.

Generated by OpenCVE AI on April 28, 2026 at 04:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s security patch for OPPO Wallet as soon as it becomes available.
  • Employ network controls such as firewall rules or DNS filtering to block traffic from untrusted or spoofed domains that could reach the wallet service.
  • In the interim, enforce frequent token rotation and monitor account activity for signs of hijacking, such as anomalous logins or token usage patterns.

Generated by OpenCVE AI on April 28, 2026 at 04:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Oppo
Oppo wallet App
Vendors & Products Oppo
Oppo wallet App

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-346
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 07:30:00 +0000

Type Values Removed Values Added
Description OPPO Wallet APP contains a trusted domain validation flaw that allows attackers to bypass protected interface access restrictions, which may lead to account token hijacking and sensitive information disclosure.
Title Sensitive Information Disclosure Vulnerability Caused by Trusted Domain Bypass in OPPO Wallet
References
Metrics cvssV4_0

{'score': 5.6, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/AU:N/R:A/V:D/RE:L/U:Amber'}

Subscriptions

Oppo Wallet App
cve-icon MITRE

Status: PUBLISHED

Assigner: OPPO

Published:

Updated: 2026-04-27T13:29:23.859Z

Reserved: 2026-01-06T06:15:53.765Z

Link: CVE-2026-22077

cve-icon Vulnrichment

Updated: 2026-04-27T13:19:05.812Z

cve-icon NVD

Status : Deferred

Published: 2026-04-27T08:16:01.120

Modified: 2026-05-19T15:29:06.417

Link: CVE-2026-22077

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T05:00:14Z

Weaknesses