CVE-2026-28586: Android AppOpsService Permission Bypass Leading to Information Disclosure
CVE-2026-28586 is a local information disclosure vulnerability in Android's AppOpsService that allows an already-authenticated user to bypass permission checks and read sensitive data they shouldn't have access to. The flaw requires the attacker to already have a local account on the device; there's no way to exploit it remotely. The exposure is classified as low-severity because the data leaked is limited and no system functions are disrupted.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.3 LOW · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-269
- Affected products
- 6 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
In multiple functions of AppOpsService.java, there is a possible missing permission check due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
Multiple functions in AppOpsService.java fail to enforce proper permission validation before granting access to protected information. The vulnerability manifests as a permissions bypass (CWE-269) that enables a local, authenticated principal to circumvent access controls. The absence of required permission checks allows disclosure of app operation data that should be restricted. Exploitation requires no additional privileges beyond a local user account and no user interaction is required.
Business impact
The primary risk is unauthorized disclosure of app usage and permission data stored within AppOpsService. For enterprises, this could expose employee or user behavior patterns and reveal which applications are installed or actively requesting sensitive permissions. The low CVSS score reflects limited scope—data confidentiality is impacted but integrity and availability are unaffected. Organizations heavily reliant on Android for employee mobility should still assess whether app usage patterns constitute sensitive business information in their environment.
Affected systems
This vulnerability affects multiple versions of Google Android. Verification of the exact affected Android versions and patch release dates should be confirmed against the official Google Android Security & Privacy Year In Review and vendor advisories, as version-specific data requires cross-reference with Google's official security bulletins.
Exploitability
Exploitation is relatively straightforward for an attacker with local device access. No special tools, remote network access, or user interaction are required—a local user can directly invoke the vulnerable AppOpsService functions to bypass permission checks. However, the attacker must already possess legitimate credentials to access the device. The barrier to exploitation is low only in terms of technical complexity; the requirement for pre-existing local authentication significantly constrains real-world attack scope.
Remediation
Apply the security patch released by Google for your affected Android version. Verify the patch version against Google's official security advisory to ensure you're installing the correct build. Organizations should prioritize this update for devices that support it, though the low severity allows for standard update cycles rather than emergency patching.
Patch guidance
Consult Google's official Android Security & Privacy update bulletins to identify the patched Android version corresponding to your current build. The patch restores proper permission validation in AppOpsService.java functions. Organizations should test patches in a staging environment before broad deployment, though the low severity permits standard change windows. Devices running unsupported Android versions will not receive patches and should be evaluated for device lifecycle replacement.
Detection guidance
Audit logs on Android devices may show unexpected or repeated queries to AppOpsService from unprivileged processes if exploitation is occurring. Mobile device management (MDM) solutions can verify that all managed devices are running patched Android versions. Runtime behavior monitoring for excessive AppOpsService access by non-system applications could help detect active exploitation, though this requires device-level monitoring tools.
Why prioritize this
This vulnerability merits standard-priority handling rather than emergency response. The CVSS 3.3 (LOW) score reflects the requirement for local authentication, limited data exposure, and absence of system compromise. Prioritize patching after addressing any critical or high-severity vulnerabilities, but include it in your regular monthly patch cycle. Organizations with strict data governance around app usage patterns may justify faster patching.
Risk score, explained
The CVSS 3.1 score of 3.3 reflects: Attack Vector: Local (AV:L) because remote exploitation is impossible; Access Complexity: Low (AC:L) because no special conditions are needed beyond local access; Privileges Required: Low (PR:L) because an authenticated user account is necessary; User Interaction: None (UI:N) because the attack requires no user action; Confidentiality Impact: Low (C:L) because only app operations data is disclosed. Integrity and Availability are unaffected. The low score is appropriate given the local-only attack surface and constrained data exposure, though organizations handling sensitive app metadata should consider context-specific risk elevation.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. This is a local-only vulnerability. An attacker must already have a user account and physical or logical access to the Android device. It cannot be exploited over a network or by an unauthenticated remote attacker.
What information can be disclosed if exploited?
The vulnerability allows unauthorized reading of app operation data stored in AppOpsService—essentially information about which apps are installed, which permissions they have requested, and their usage patterns. The actual data exposed depends on the specific functions exploited and what an organization stores within AppOpsService.
Do we need to patch immediately?
Given the CVSS 3.3 (LOW) score, immediate emergency patching is not required. However, include this update in your standard monthly patch cycle. If your organization considers app usage data highly sensitive, you may justify faster deployment, but the low severity allows normal change management timelines.
Which Android versions are affected?
The vulnerability affects multiple Android versions, but the exact version numbers require verification against Google's official Android Security & Privacy bulletins. Check Google's security advisory page or your device manufacturer's update schedule to determine if your devices are affected and when patches are available.
This vulnerability analysis is provided for informational purposes. CVSS scores, affected product versions, and patch details are based on available public data; organizations must verify patch availability and applicability against official vendor advisories before deploying updates. This vulnerability requires local device access and does not enable remote exploitation. Consult your device manufacturer or Google's official security bulletins for authoritative patch information and timelines. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-0016LOWAndroid Credential Manager Permission Bypass & Cross-User Data Disclosure
- CVE-2026-0050LOWAndroid Bluetooth Permissions Bypass Information Disclosure
- CVE-2026-0009HIGHAndroid Tapjacking Local Privilege Escalation Vulnerability
- CVE-2026-0046MEDIUMAndroid Tapjacking Permission Escalation Vulnerability
- CVE-2026-0048MEDIUMAndroid Tapjacking Vulnerability – Privilege Escalation via WindowState
- CVE-2026-0055MEDIUMAndroid Path Traversal in PackageInstallerService Enables Local Privilege Escalation to Device Policy Controller
- CVE-2026-0086MEDIUMAndroid DisableSupervisionActivity Privilege Escalation via Null Check Bypass
- CVE-2026-0089HIGHAndroid PackageInstallerService Permission Check Bypass – Local Privilege Escalation