Description
In Contacts Provider, there is a possible way to access the contacts database due to SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-17
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An SQL injection flaw exists in the Android Contacts Provider that allows a local attacker, based on the description, to construct malicious input that is used in an unparameterized SQL query. The flaw is identified as CWE‑89 and permits the extraction of the entire contacts database. The compromise is limited to local information disclosure, exposing personal contact data and undermining user confidentiality.

Affected Systems

Android devices that include the Contacts Provider component are affected. Because the list of specific Android releases is not provided, any device running a version of Android that contains this provider is potentially impacted until a patch is applied.

Risk and Exploitability

The CVSS score of 10 signals a critical severity, while the EPSS score of less than 1% indicates a low current exploitation likelihood. The vulnerability is local and does not require user interaction or elevated privileges, meaning that a malicious application with contact access could exploit it on the device. The flaw is not listed in CISA’s KEV catalog, suggesting no widespread exploitation activity has been documented.

Generated by OpenCVE AI on June 18, 2026 at 15:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Android security update that addresses the SQL injection flaw in the Contacts Provider
  • Modify any code that constructs SQL queries against the contacts database to enforce strict input validation and use parameterized statements, mitigating the risk identified by CWE‑89
  • Restrict contacts access in device policies so that only trusted applications can read the contacts database
  • Monitor the device for abnormal contacts data access patterns to detect potential exploitation attempts

Generated by OpenCVE AI on June 18, 2026 at 15:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Contacts Provider SQL Injection Enabling Local Information Disclosure Android Contacts Provider SQL Injection Enabling Local Data Disclosure

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Contacts Provider SQL Injection Enabling Local Information Disclosure

Wed, 17 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Android
Android android
Vendors & Products Android
Android android

Wed, 17 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description In Contacts Provider, there is a possible way to access the contacts database due to SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-17T10:41:28.684Z

Reserved: 2026-03-02T19:10:53.531Z

Link: CVE-2026-28576

cve-icon Vulnrichment

Updated: 2026-06-17T10:41:21.846Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T15:45:03Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')