This vulnerability allows callers of the mobile_open_url tool to supply arbitrary URLs that are forwarded directly to Android’s intent system without any validation of the URI scheme. As a result, an attacker can trigger a wide range of Android intents, including USSD codes, phone calls, SMS messages, and direct access to content providers. Because the intent is executed without checks, the attacker can potentially exfiltrate data, place calls, send messages, or manipulate other apps on the device. The weakness is identified as CWE‑939, which describes Remote Command Injection via unintended command execution.

The flaw resides in the Mobile Next MCP server, specifically the mobile-mcp component of the Mobile Next platform. Devices running any version prior to 0.0.50 are susceptible. The remediation path—patching or upgrading to version 0.0.50 or later—removes the unchecked URL forwarding behavior.

With a CVSS score of 8.3, the vulnerability is considered high severity. The EPSS score is not available, and the issue is not currently listed in the CISA KEV catalog, suggesting that publicly known exploitation might be limited at present. However, the attack vector is inferred to be local or remote depending on whether the mobile_open_url tool is exposed over a network; an attacker who can supply a malicious URL to the tool can trigger the vulnerability. Without additional validation, the risk remains significant because invoking Android intents can produce a wide range of harmful outcomes.