LOW 3.3

CVE-2026-0016: Android Credential Manager Permission Bypass & Cross-User Data Disclosure

A permissions validation flaw in Android's credential management system allows a local attacker with limited user privileges to read sensitive information across other user accounts without special permissions or user interaction. The vulnerability resides in how the system handles credential provider updates when services are removed, creating a bypass that exposes data intended to be isolated between users.

Source data · NVD / CISA · public domain

CVSS
3.1 · 3.3 LOW · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-269
Affected products
4 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

In updateProvidersWhenServiceRemoved of CredentialManagerService.java, there is a possible way to override settings across users due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-0016 is a privilege escalation and cross-user information disclosure vulnerability in Android's CredentialManagerService, specifically in the updateProvidersWhenServiceRemoved method. The flaw stems from inadequate permission checks (CWE-269) that permit a local attacker with standard user privileges to override credential provider settings across different user profiles. The attack requires local access and user-level privileges but no additional execution context or user interaction, making it straightforward to trigger once access is obtained.

Business impact

This vulnerability poses a confidentiality risk to multi-user Android devices, particularly in enterprise or shared device scenarios. Attackers can extract stored credentials, authentication tokens, or other sensitive information belonging to other users on the same device. While the CVSS score reflects low overall severity, the cross-user nature of the breach and lack of user interaction required make this a noteworthy concern for organizations managing shared or company-owned Android deployments where credential isolation is a security control.

Affected systems

Google Android is affected. The vulnerability impacts the credential manager subsystem across multiple Android versions. Users should consult Google's security advisory for specific version ranges and whether their device OS version is included in the patch scope.

Exploitability

Exploitation is straightforward for attackers already present on the device with user-level (non-root) privileges. No special tools, network access, or user interaction are needed. This makes the vulnerability particularly dangerous in compromised device scenarios or on devices used by multiple users in low-trust environments. However, the requirement for local access and existing user privileges limits the attack surface to insider threats and post-compromise lateral exploitation.

Remediation

Apply the security patch released by Google for your Android version as soon as it becomes available. Prioritize devices in multi-user or shared-device deployments. Google's June 2026 security bulletin should contain the fix; verify your device receives the update through your manufacturer's release schedule.

Patch guidance

Monitor Google's Android Security & Privacy Year in Review and monthly security bulletins for patch availability. Updates are typically rolled out incrementally by device manufacturer and carrier. For enterprise deployments, consider staging patch testing on a subset of devices before organization-wide rollout. Verify the specific Android patch level (SPL) matches or exceeds the month the fix was published.

Detection guidance

Detection is challenging without device telemetry or credential manager auditing. Endpoint detection tools should monitor for unusual access patterns to CredentialManagerService or cross-user data access in device logs. On affected devices, enable security event logging if available. Watch for anomalous credential retrieval by non-owner processes or unusual file access to credential storage directories. Behavioral monitoring for unauthorized credential exfiltration is more reliable than signature-based detection.

Why prioritize this

Although the CVSS score is low (3.3), prioritize this for multi-user Android deployments and shared device environments. The cross-user confidentiality breach and absence of user interaction required elevate practical risk beyond the numeric severity rating. Organizations managing BYOD programs or company-owned shared devices should treat this as medium priority. Single-user personal devices represent lower risk but should still receive the patch in routine security maintenance windows.

Risk score, explained

The CVSS 3.1 score of 3.3 (LOW) reflects limited scope (single user compromise context in the scoring model), no integrity or availability impact, and the requirement for local access and user-level privileges. However, the real-world severity is contextual: in multi-user device scenarios, the cross-user nature and ease of exploitation warrant treating this above the numeric score. The lack of active exploitation in the wild (KEV status is false) also factors into the conservative rating.

Frequently asked questions

Can this be exploited remotely?

No. The vulnerability requires local access to the device and existing user-level privileges. Remote exploitation is not possible.

Do I need root access to exploit this?

No. The attacker only needs standard user privileges. The vulnerability is a permissions bypass that allows unprivileged code to access restricted functions.

Why is this only rated 3.3 if it affects multiple users?

The CVSS score reflects attack complexity and required privileges in a standard single-user model. In multi-user device environments, the practical impact is higher because an attacker with one user account can breach another user's credentials. Organizations should evaluate this contextually based on their device deployment model.

Is there active exploitation of this vulnerability?

As of the publication date, this vulnerability is not listed in the KEV (Known Exploited Vulnerabilities) catalog, indicating no widespread active exploitation has been reported. However, organizations should not delay patching based on this—the simplicity of exploitation means weaponization is plausible once details are widely known.

This analysis is based on vulnerability data published as of June 2026 and CVE-2026-0016's available technical details. Patch version numbers and availability dates should be verified against Google's official Android Security & Privacy bulletins and your device manufacturer's security updates. Testing in non-production environments is strongly recommended before deploying patches to production devices. This assessment does not constitute legal, compliance, or formal risk management advice—consult your organization's security policy and vendor advisories for definitive guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).