Severity by source
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:D/RE:L/U:Amber
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:D/RE:L/U:Amber
Lifecycle Timeline
5DescriptionCVE.org
OPPO Wallet APP contains a trusted domain validation flaw that allows attackers to bypass protected interface access restrictions, which may lead to account token hijacking and sensitive information disclosure.
AnalysisAI
OPPO Wallet APP contains a trusted domain validation bypass flaw that allows local attackers with user interaction to hijack account tokens and disclose sensitive information. The vulnerability affects all versions of OPPO Wallet APP and exploits improper domain verification in protected interface access controls, enabling token theft through local attack vector.
Technical ContextAI
OPPO Wallet APP implements trusted domain validation mechanisms to restrict access to protected interfaces and prevent unauthorized token access. The vulnerability stems from inadequate validation of domain authenticity, allowing attackers to circumvent security checks designed to authenticate legitimate service endpoints. This flaw is classified under information disclosure (EUVD tag) and impacts the confidentiality of authentication tokens and user data. The local attack vector (AV:L) indicates the attacker must have local access to the device, while the requirement for user interaction (UI:A) suggests the exploit requires user action such as approving a fraudulent domain or clicking a malicious link.
RemediationAI
OPPO Wallet APP users should check the official OPPO security notice at https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-2048652556296790016 for patched versions and mandatory updates. Users should update to the latest available version of OPPO Wallet APP when released. Immediate compensating controls include: disable auto-authentication features in the Wallet APP settings to force re-verification of domain identity on each session, disable notification-based quick-access to sensitive wallet functions to require explicit user authentication, and restrict physical device access to trusted users only. Users should avoid installing or granting permissions to untrusted applications on devices running OPPO Wallet APP, as the local attack vector requires app-level access to exploit the domain validation flaw.
Same weakness CWE-346 – Origin Validation Error
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25784