Skip to main content

ColorOS Assistant EUVDEUVD-2026-26354

| CVE-2026-22070 HIGH
Relative Path Traversal (CWE-23)
2026-04-30 OPPO
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

4
Analysis Generated
Apr 30, 2026 - 09:30 vuln.today
EUVD ID Assigned
Apr 30, 2026 - 09:00 euvd
EUVD-2026-26354
Analysis Generated
Apr 30, 2026 - 09:00 vuln.today
CVE Published
Apr 30, 2026 - 08:27 nvd
HIGH 7.1

DescriptionCVE.org

ColorOS Assistant has an unauthenticated start-download channel, leading to file path traversal.

AnalysisAI

Path traversal in ColorOS Assistant allows local attackers to manipulate file downloads and cause high availability impact via an unauthenticated download channel. The vulnerability (CWE-23) enables writing files to arbitrary paths when a user is socially engineered to trigger the malicious download. OPPO has published a security advisory. No active exploitation confirmed; EPSS data not available for this recent 2026 CVE.

Technical ContextAI

ColorOS Assistant is OPPO's system assistant application for ColorOS, the Android-based operating system. The vulnerability exists in an exposed 'start-download' inter-process communication (IPC) channel or API endpoint that lacks authentication controls and fails to validate or sanitize file path parameters. CWE-23 (Relative Path Traversal) indicates the flaw allows attackers to manipulate download destination paths using directory traversal sequences (e.g., '../' patterns) to write files outside intended directories. The affected component is identified by CPE cpe:2.3:a:oppo:coloros_assistant with wildcard versioning, suggesting broad version impact pending vendor clarification. The local attack vector (AV:L) indicates exploitation requires the malicious component to be on the same device, likely delivered via malicious app or ADB access.

RemediationAI

Install the security update provided by OPPO for ColorOS Assistant. Consult the official OPPO security advisory at https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-2049764240746881024 for the exact patched version number, affected device models, and update availability timeline. Users should check Settings > Software Update on ColorOS devices to apply available system updates containing the fix. For enterprise mobile device management: push the OPPO security update through MDM when available and verify deployment. Interim mitigations while awaiting patch: restrict installation of applications from unknown sources (disable sideloading in Settings > Security), avoid granting storage permissions to untrusted apps, and implement mobile threat defense solutions that detect path traversal exploitation attempts. Note that disabling ColorOS Assistant entirely may impact device functionality and user experience. Physical device security controls reduce risk of local ADB-based exploitation.

Share

EUVD-2026-26354 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy