MEDIUM 4.4

CVE-2026-11411: Path Traversal in iAI Lab PDF AI App 4.21.0 Android

A path traversal vulnerability exists in the iAI Lab PDF AI App version 4.21.0 for Android. The flaw is located in the chatpdf.pro component's getExternalCacheDir function, where improper handling of the _display_name parameter allows an attacker with local device access to manipulate file paths. This could enable unauthorized file access or modification on the affected device. Public exploit code is available, increasing the practical risk of exploitation.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.4 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Weaknesses (CWE)
CWE-22
Affected products
0 configuration(s)
Published / Modified
2026-06-06 / 2026-06-17

NVD description (verbatim)

A security flaw has been discovered in iAI Lab PDF AI App 4.21.0 on Android. Impacted is the function getExternalCacheDir of the component chatpdf.pro. Performing a manipulation of the argument _display_name results in path traversal. The attack requires a local approach. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11411 is a local path traversal vulnerability (CWE-22) in iAI Lab PDF AI App 4.21.0 running on Android. The vulnerability resides in the getExternalCacheDir function of the chatpdf.pro component. By crafting a malicious _display_name argument, an attacker can traverse directory structures and access files outside the intended application sandbox. The attack vector requires local access to the device, meaning the attacker must already have the ability to execute code or interact with the application directly. With CVSS 3.1 score of 4.4 (Medium severity), the impact is primarily integrity and availability focused rather than confidentiality.

Business impact

Organizations and individuals relying on iAI Lab PDF AI App for sensitive document processing face localized but meaningful risk. If an attacker gains local device access, they could read or modify files in unintended directories, potentially exposing cached PDF content or other application data. For enterprise deployments managing confidential documents, this vulnerability could lead to data exfiltration or tampering. The availability of public exploit code elevates urgency, as this is no longer theoretical risk. The vendor's lack of response to early disclosure creates indefinite exposure for existing installations.

Affected systems

iAI Lab PDF AI App version 4.21.0 on Android is confirmed vulnerable. The vulnerability is specific to the local attack surface; remote exploitation is not possible. Any user or device running this version is potentially affected, though exploitation requires local access. Newer versions or alternative PDF AI applications may be unaffected, but no patch information is currently available from the vendor.

Exploitability

This vulnerability is exploitable but requires local access to the Android device. An attacker must be able to run code or directly interact with the application—for example, through malware, physical device access, or compromised lateral movement within a shared system. The logical manipulation of the _display_name parameter is relatively straightforward, and public exploit code is already in circulation, removing technical barriers for opportunistic attackers. The lack of user interaction (UI:N in the CVSS vector) means the attack can proceed silently once local access is obtained.

Remediation

No vendor patch has been released. The iAI Lab development team has not responded to early disclosure efforts. Users should immediately uninstall iAI Lab PDF AI App 4.21.0 or cease use of the application if sensitive data processing is involved. Alternative PDF handling applications with active security maintenance should be evaluated and deployed. For organizations with devices running this version, consider enforcing application removal through mobile device management (MDM) policies if the application is not business-critical.

Patch guidance

Verify the latest version available on the Google Play Store or directly from the vendor. As of the vulnerability publication date (2026-06-06), no security patch has been released despite vendor notification. Recommend checking for updates regularly, but do not rely on a patch being forthcoming given the vendor's non-responsiveness. If an update does become available after this publication, review its release notes carefully to confirm the path traversal issue has been addressed before re-deploying.

Detection guidance

Monitor for unauthorized file access patterns on Android devices running iAI Lab PDF AI App 4.21.0, particularly in external cache directories and unintended file paths. On-device monitoring tools or Mobile Threat Defense (MTD) solutions may flag suspicious file system traversal attempts. Review application logs if available; however, this vulnerability is local and may not leave obvious traces. Network-based detection is limited due to the local-only attack vector. Prioritize inventory of affected devices across your organization to identify scope.

Why prioritize this

Although the CVSS score is moderate (4.4), this vulnerability merits higher-than-baseline attention due to several factors: (1) public exploit availability eliminates attack complexity, (2) the vendor's non-response creates indefinite exposure with no path to patching, (3) the application handles sensitive documents, making integrity and availability impact tangible, and (4) mobile applications are often overlooked in vulnerability management workflows, allowing affected instances to persist longer. Organizations managing sensitive PDF workflows should treat this as higher priority.

Risk score, explained

The CVSS 3.1 score of 4.4 reflects a Medium severity assessment. The score accounts for a local attack vector (AV:L), low attack complexity (AC:L), low privilege requirements (PR:L), no user interaction needed (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), limited integrity impact (I:L), and limited availability impact (A:L). The moderate score does not fully capture the real-world risk introduced by public exploit availability and vendor non-responsiveness. Organizations should consider contextual factors—such as the sensitivity of documents processed and the presence of local threat actors—when setting internal remediation priorities.

Frequently asked questions

Is there a patch available from iAI Lab?

No. As of the publication date, iAI Lab has not released a patch despite early vendor notification. The development team has not responded to disclosure attempts. Users should not wait for a vendor patch and should instead uninstall the application or migrate to alternatives.

Can this vulnerability be exploited remotely?

No. The attack vector is strictly local (AV:L). An attacker must have local access to the Android device to exploit the path traversal flaw. Remote exploitation over the network is not possible.

What data is at risk?

The vulnerability allows manipulation of external cache directory paths, potentially exposing cached PDF files, temporary application data, and other files stored in directories the app did not intend to access. Sensitivity depends on what documents are processed and cached by the application.

Should we uninstall the app immediately?

If the application is not mission-critical, immediate uninstallation is recommended. If it is in use for business purposes, conduct a risk assessment of the data being processed, implement compensating controls (such as restricting device physical access), and plan migration to a patched alternative. MDM policies can enforce removal across enrolled devices.

This analysis is provided for informational purposes and reflects the state of knowledge as of the publication date. The vulnerability details are sourced from official CVE records and vendor communications. Users and organizations are responsible for assessing the applicability of this information to their environment. No exploit code, proof-of-concept instructions, or weaponization guidance is provided. Recommendations should be validated against internal security policies and business requirements. SEC.co does not guarantee the availability or timeliness of vendor patches and recommends independent verification of any remediation steps before deployment. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).