Severity by source
AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:H
Lifecycle Timeline
4DescriptionCVE.org
ColorOS Assistant has an unauthenticated start-download channel, leading to file path traversal.
AnalysisAI
Path traversal in ColorOS Assistant allows local attackers to manipulate file downloads and cause high availability impact via an unauthenticated download channel. The vulnerability (CWE-23) enables writing files to arbitrary paths when a user is socially engineered to trigger the malicious download. OPPO has published a security advisory. No active exploitation confirmed; EPSS data not available for this recent 2026 CVE.
Technical ContextAI
ColorOS Assistant is OPPO's system assistant application for ColorOS, the Android-based operating system. The vulnerability exists in an exposed 'start-download' inter-process communication (IPC) channel or API endpoint that lacks authentication controls and fails to validate or sanitize file path parameters. CWE-23 (Relative Path Traversal) indicates the flaw allows attackers to manipulate download destination paths using directory traversal sequences (e.g., '../' patterns) to write files outside intended directories. The affected component is identified by CPE cpe:2.3:a:oppo:coloros_assistant with wildcard versioning, suggesting broad version impact pending vendor clarification. The local attack vector (AV:L) indicates exploitation requires the malicious component to be on the same device, likely delivered via malicious app or ADB access.
RemediationAI
Install the security update provided by OPPO for ColorOS Assistant. Consult the official OPPO security advisory at https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-2049764240746881024 for the exact patched version number, affected device models, and update availability timeline. Users should check Settings > Software Update on ColorOS devices to apply available system updates containing the fix. For enterprise mobile device management: push the OPPO security update through MDM when available and verify deployment. Interim mitigations while awaiting patch: restrict installation of applications from unknown sources (disable sideloading in Settings > Security), avoid granting storage permissions to untrusted apps, and implement mobile threat defense solutions that detect path traversal exploitation attempts. Note that disabling ColorOS Assistant entirely may impact device functionality and user experience. Physical device security controls reduce risk of local ADB-based exploitation.
Same weakness CWE-23 – Relative Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26354