CVE-2025-26418: Android CarDevicePolicyService Privilege Escalation (CVSS 7.8)
A vulnerability in Android's device management system allows a local attacker with basic app permissions to bypass the user confirmation dialog that normally protects account additions on managed devices. This enables privilege escalation without requiring any special system access or user interaction. The flaw stems from a missing permission check in the CarDevicePolicyService component.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-862
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
In setUserDisclaimerAcknowledged of CarDevicePolicyService.java, there is a possible way to bypass the user dialog when adding an account to a managed device due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2025-26418 is a privilege escalation vulnerability in the setUserDisclaimerAcknowledged method of CarDevicePolicyService.java. The vulnerability exploits inadequate authorization controls (CWE-862: Missing Authorization) to circumvent the user acknowledgment dialog that gates account provisioning on device policy-managed Android systems. An app running with standard user privileges can invoke this method without the required permission enforcement, allowing direct manipulation of account addition workflows. The attack surface is local only, execution is straightforward, and no user interaction is needed.
Business impact
This vulnerability directly threatens the security posture of organizations deploying Android as a managed platform, particularly in automotive and IoT contexts where CarDevicePolicyService operates. An attacker could silently add accounts under victim or attacker control to a managed device, gaining persistent access to corporate data and credentials without detection. For enterprises relying on device management policies to enforce security controls, this represents a significant control bypass that undermines the entire managed device trust model.
Affected systems
Google Android devices running versions of the OS that include the CarDevicePolicyService component. The vulnerability affects the device policy management framework broadly, though the specific vulnerable versions have not been detailed in the source data. Organizations should verify their Android version and device policy implementation status directly with vendor advisories.
Exploitability
Exploitability is high. The vulnerability requires only local access (app installation) and baseline user privileges—no special permissions, root access, or elevated context is needed. The attack is reliable and deterministic because it bypasses a permission check entirely rather than exploiting a logic flaw. The absence of a user interaction requirement means the exploit can run silently in the background. However, the attacker must first install an app on the device, which represents a gating factor in many enterprise environments with app control policies.
Remediation
Organizations should prioritize patching affected Android devices to versions that include the missing permission check in CarDevicePolicyService. Until patches are applied, restrict app installation via device policy to prevent untrusted applications from reaching the vulnerable code path. Monitor for unexpected account additions on managed devices and review access logs for suspicious setUserDisclaimerAcknowledged method invocations.
Patch guidance
Apply the latest Android security patch as released by Google for your device model and operating system version. Verify patch status by cross-referencing your Android version against the official Google Security & Privacy bulletin for June 2026 and later. Test patches in a non-production environment before enterprise rollout, particularly if using CarDevicePolicyService in custom device management implementations.
Detection guidance
Monitor application behavior for calls to the setUserDisclaimerAcknowledged method without corresponding user confirmation dialogs. Implement Mobile Device Management (MDM) log analysis to detect unexpected account additions on managed devices, particularly accounts that bypass the normal provisioning workflow. Security event logs should flag instances where device policy management APIs are invoked by apps lacking appropriate manifest permissions. On-device audit logging of account management changes provides an additional detection layer.
Why prioritize this
This vulnerability earns HIGH priority due to its CVSS score of 7.8, the complete confidentiality, integrity, and availability impact (C:H, I:H, A:H), and the realistic attack scenario. Unlike many privilege escalations that require complex exploitation chains or elevated starting privileges, this flaw is trivial to exploit locally with minimal attacker requirements. For organizations using Android device management, this directly undermines their security controls. The absence of KEV designation should not lower urgency—patch adoption typically lags public disclosure, creating an exploitation window.
Risk score, explained
The CVSS 3.1 score of 7.8 (HIGH) reflects: local attack vector (AV:L), low complexity (AC:L), low privilege requirements (PR:L), no user interaction (UI:N), and high impact across confidentiality, integrity, and availability. The score appropriately captures the threat model—a standard app on a device can escalate privileges to bypass critical security controls without user awareness. Organizations managing sensitive data on Android devices should treat this as a control plane vulnerability requiring rapid remediation.
Frequently asked questions
Does this affect my Android phone if I'm not using device management?
CarDevicePolicyService is primarily used in managed enterprise environments and automotive systems. Standard consumer phones may not be vulnerable if they don't run the affected service. However, verify your Android version and device configuration against the vendor advisory—some carriers or manufacturers may include this component by default.
Can this vulnerability be exploited remotely?
No. The attack vector is strictly local (AV:L), requiring the attacker to install an application on the device first. Remote exploitation is not possible. However, social engineering or supply chain compromise could be used to distribute a malicious app containing the exploit.
What's the difference between this and a normal privilege escalation?
Most privilege escalations require the attacker to gain some special status first. This flaw is unique because it allows an ordinary app—one with no special permissions—to bypass a critical security control (the user dialog). It's a control-plane attack rather than a traditional privilege escalation in code execution context.
Is there a workaround if we can't patch immediately?
Restrict app installation to trusted, pre-approved applications only via your MDM solution. Disable third-party app stores. Increase monitoring of account and credential management events. These controls reduce the attack surface but do not eliminate the risk—patching is the definitive fix.
This analysis is based on publicly available vulnerability data current as of the publication date. Patch versions, affected product builds, and vendor-specific guidance should be verified directly against official Google Android Security & Privacy advisories and your device manufacturer's security documentation. SEC.co makes no warranty regarding the completeness or accuracy of version information not explicitly cited in vendor sources. Organizations should conduct independent testing before applying patches to production environments. This vulnerability analysis is provided for informational purposes to support security decision-making and does not constitute professional security advice. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2018-25391HIGHHaPe PKH 1.1 Authorization Bypass – Unauthorized Record Deletion Vulnerability
- CVE-2025-53345HIGHThimPress Thim Core Missing Authorization Leads to Code Execution
- CVE-2026-10737HIGHWordPress SP Project & Document Manager Unauthenticated File Access Vulnerability
- CVE-2026-31942HIGHLibreChat IDOR Vulnerability Allows Unauthorized API Key Manipulation
- CVE-2026-32905HIGHOpenClaw Device-Pair Authorization Bypass (CVSS 8.3)
- CVE-2026-35630HIGHOpenClaw Authorization Bypass in QQBot Approval Buttons
- CVE-2026-42669HIGHEventPrime Missing Authorization Vulnerability (CVSS 7.5)
- CVE-2026-42670HIGHMissing Authorization in Five Star Restaurant Reservations – Data Exposure Risk