Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (SamsungMobile) · only source for this CVE.
CVSS VectorVendor: SamsungMobile
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Improper authorization in Samsung Internet prior to version 30.0.0.39 allows local attackers to access sensitive information.
AnalysisAI
Improper authorization in Samsung Internet (Android browser) prior to version 30.0.0.39 allows a local attacker with low-level privileges to access sensitive information stored or processed by the browser, with downstream high-severity impact on subsequent systems as reflected in the CVSS 4.0 SC:H/SI:H/SA:H scores. The vulnerability requires only local access and no user interaction, making it exploitable by any co-resident low-privileged app or user account on the device. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and Samsung Mobile has released a patched version.
Technical ContextAI
Samsung Internet is Samsung Mobile's proprietary Android web browser, identified by CPE cpe:2.3:a:samsung_mobile:samsung_internet:*:*:*:*:*:*:*:*. The vulnerability is an improper authorization flaw - meaning the browser fails to adequately enforce access controls on sensitive data or operations accessible to co-resident processes or lower-privileged system components. No CWE was assigned by the reporter, but the root cause class is consistent with broken access control (analogous to CWE-285: Improper Authorization or CWE-862: Missing Authorization). The CVSS 4.0 vector is notable: while the confidentiality impact on the vulnerable component itself is rated Low (VC:L), the subsequent system impacts are all High (SC:H/SI:H/SA:H), indicating that the sensitive information accessible through this flaw - potentially including browsing history, saved credentials, cookies, or session tokens - can be leveraged to compromise other systems, services, or accounts beyond the browser itself.
RemediationAI
Update Samsung Internet to version 30.0.0.39 or later, which Samsung Mobile has confirmed as the patched release per the June 2026 security bulletin at https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=06. Users should apply the update via the Galaxy Store or Google Play Store immediately. As an interim compensating control on devices where patching is delayed, administrators managing enterprise Android fleets via MDM can restrict the installation of unknown or untrusted applications to reduce the risk of a malicious co-resident app exploiting this flaw; note this does not eliminate risk from physically present users. Disabling Samsung Internet and substituting an alternate browser is a viable but disruptive workaround that eliminates attack surface entirely at the cost of losing Samsung-integrated features. No side effects of the official patch have been noted by the vendor.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34808
GHSA-8mjw-wh53-grh9