Skip to main content

OPPO Wallet APP CVE-2026-22077

| EUVDEUVD-2026-25784 MEDIUM
Origin Validation Error (CWE-346)
2026-04-27 OPPO
5.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.6 MEDIUM
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:D/RE:L/U:Amber

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:D/RE:L/U:Amber
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

5
Analysis Generated
Apr 27, 2026 - 10:00 vuln.today
CVSS changed
Apr 27, 2026 - 08:22 NVD
5.6 (MEDIUM)
EUVD ID Assigned
Apr 27, 2026 - 07:30 euvd
EUVD-2026-25784
Analysis Generated
Apr 27, 2026 - 07:30 vuln.today
CVE Published
Apr 27, 2026 - 06:37 nvd
MEDIUM 5.6

DescriptionCVE.org

OPPO Wallet APP contains a trusted domain validation flaw that allows attackers to bypass protected interface access restrictions, which may lead to account token hijacking and sensitive information disclosure.

AnalysisAI

OPPO Wallet APP contains a trusted domain validation bypass flaw that allows local attackers with user interaction to hijack account tokens and disclose sensitive information. The vulnerability affects all versions of OPPO Wallet APP and exploits improper domain verification in protected interface access controls, enabling token theft through local attack vector.

Technical ContextAI

OPPO Wallet APP implements trusted domain validation mechanisms to restrict access to protected interfaces and prevent unauthorized token access. The vulnerability stems from inadequate validation of domain authenticity, allowing attackers to circumvent security checks designed to authenticate legitimate service endpoints. This flaw is classified under information disclosure (EUVD tag) and impacts the confidentiality of authentication tokens and user data. The local attack vector (AV:L) indicates the attacker must have local access to the device, while the requirement for user interaction (UI:A) suggests the exploit requires user action such as approving a fraudulent domain or clicking a malicious link.

RemediationAI

OPPO Wallet APP users should check the official OPPO security notice at https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-2048652556296790016 for patched versions and mandatory updates. Users should update to the latest available version of OPPO Wallet APP when released. Immediate compensating controls include: disable auto-authentication features in the Wallet APP settings to force re-verification of domain identity on each session, disable notification-based quick-access to sensitive wallet functions to require explicit user authentication, and restrict physical device access to trusted users only. Users should avoid installing or granting permissions to untrusted applications on devices running OPPO Wallet APP, as the local attack vector requires app-level access to exploit the domain validation flaw.

Share

CVE-2026-22077 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy