Skip to main content

RoboForm Password Manager EUVDEUVD-2026-31200

| CVE-2026-47782 MEDIUM
Insufficient UI Warning of Dangerous Operations (CWE-357)
2026-05-20 vultures@jpcert.or.jp GHSA-5mhm-vj5h-r98h
4.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.6 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 20, 2026 - 23:31 vuln.today

DescriptionCVE.org

Android App "RoboForm Password Manager" provided by Siber Systems, Inc. handles Android intents without sufficient URL validation, user confirmation nor notification. If a URL to some malicious web page is given through an intent, RoboForm may silently download files without user confirmation nor notification.

AnalysisAI

Silent file download in RoboForm Password Manager for Android (Siber Systems, Inc.) can be triggered by a co-installed malicious application delivering a crafted Android Intent containing an attacker-controlled URL. RoboForm fails to validate the URL destination, request user confirmation, or surface any notification before fetching and writing remote content to the device. Reported by JPCERT (JVNVU93461473) with no CISA KEV listing and no public exploit identified at time of analysis, placing this in a moderate-low real-world risk category despite the sensitive nature of the affected product - a password manager.

Technical ContextAI

The vulnerability lies in Android's Inter-Process Communication (IPC) mechanism - specifically the Intent system, which allows any application installed on a device to dispatch messages (Intents) to other apps. RoboForm exposes one or more Intent-receiving components (Activity, Service, or BroadcastReceiver) that accept URL parameters without enforcing origin trust, URL allowlisting, or scheme validation. CWE-357 captures the insufficient-notification dimension: the application proceeds with a potentially dangerous operation - fetching and persisting remote content - without surfacing any user-visible confirmation dialog or system notification. The result is that the URL-fetch side-effect of the Intent is completely opaque to the user. Because the product is a password manager, the implicit trust users place in it makes silent background activity particularly significant from a security posture standpoint.

RemediationAI

Users should update RoboForm Password Manager to the latest version available on Google Play (https://play.google.com/store/apps/details?id=com.siber.roboform). The vendor has published a news advisory at https://www.roboform.com/news-android which should be consulted to confirm the exact patched version number - that version is not independently confirmed from the intelligence data provided, so do not rely on an assumed version without verifying against the vendor advisory or JPCERT JVNVU93461473. As a compensating control pending update, audit all applications installed on affected Android devices and remove untrusted, unknown, or sideloaded applications, since the attack requires a co-installed malicious app capable of sending Intents. Disabling installation from unknown sources (Settings > Security > Unknown Sources) reduces the probability of a malicious intent-sender being introduced onto the device. Enterprise administrators using MDM solutions should consider enforcing app allowlists to prevent co-installation of unauthorized apps alongside credential managers.

Share

EUVD-2026-31200 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy