Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Permission control vulnerability in contacts. Impact: Successful exploitation of this vulnerability may affect availability.
AnalysisAI
A permission control vulnerability in HarmonyOS Contacts allows local attackers without special privileges to access sensitive contact information and affect availability of the contacts application. The vulnerability exists across HarmonyOS versions and can be exploited without user interaction, resulting in information disclosure and potential service disruption.
Technical ContextAI
This vulnerability stems from a permission control deficiency (CWE-840: Authorization with Incorrect Scope) in the HarmonyOS Contacts application. The underlying issue involves improper enforcement of access controls that govern which processes or users can read, modify, or delete contact data. HarmonyOS, Huawei's proprietary operating system, implements a privilege-based access control model. The flaw allows unprivileged local processes to bypass intended permission boundaries to access the contacts database or contact management functions, which typically require explicit user authorization or system-level permissions. The CVSS vector (AV:L/AC:L/PR:N/UI:N) indicates this is a local privilege escalation or authorization bypass affecting the contacts component without requiring user interaction.
RemediationAI
Apply the security update provided in Huawei's security bulletin released May 2026 (https://consumer.huawei.com/en/support/bulletin/2026/5/). Contact Huawei support directly or check your device's system settings for available security patches, as HarmonyOS updates are typically delivered incrementally by device model and region. Until patched, users should review app permissions on their HarmonyOS devices, denying unnecessary contact access to third-party applications through Settings > Apps > Permissions > Contacts. Restrict which apps can access the Contacts application and disable contact synchronization features with untrusted services if not required. Uninstall or disable suspicious or unused applications that request contact permissions. Note that disabling contact sync may limit functionality of certain services like email or messaging apps that rely on contact data.
Same weakness CWE-840 – Business Logic Errors
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30524
GHSA-9694-5xfg-m7vr