Description
In Contacts Provider, there is a possible way to access the contacts database due to SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-17
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An SQL injection flaw exists in the Android Contacts Provider that allows a local actor to read the entire contacts database without needing elevated privileges. This vulnerability, classified as CWE-89, provides an attacker the ability to extract personal data from a device. The impact is a breach of user confidentiality and can reveal sensitive contact details.

Affected Systems

The flaw is present in Android’s Contacts Provider component. Specific affected Android releases are not listed, so all devices running the current or older versions of Android that include this provider are potentially impacted until a fix is applied.

Risk and Exploitability

The CVSS score of 10 indicates a critical severity rating. However, the EPSS score is under 1%, implying the likelihood of exploitation is currently low. The vulnerability is local and does not require user interaction, so any application running on the device could leverage it. Because the flaw is not listed in CISA’s KEV catalog there is no known large‑scale exploitation activity recorded at this time.

Generated by OpenCVE AI on June 17, 2026 at 17:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Android security update that addresses the SQL injection in the Contacts Provider
  • If an update is not available, restrict contacts access in device policies so that only trusted applications can read the contacts database
  • Monitor the device for abnormal contacts data access patterns to detect potential exploitation attempts

Generated by OpenCVE AI on June 17, 2026 at 17:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Android
Android android
Vendors & Products Android
Android android

Wed, 17 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description In Contacts Provider, there is a possible way to access the contacts database due to SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Android Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-17T10:41:28.684Z

Reserved: 2026-03-02T19:10:53.531Z

Link: CVE-2026-28576

cve-icon Vulnrichment

Updated: 2026-06-17T10:41:21.846Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T09:30:06Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')