CVE-2026-57848 in Stoatinfo

Summary

by MITRE • 07/18/2026

Stoat for Android exports the chat.stoat.activities.ShareTargetActivity component (reachable to any process on the device via the android.intent.action.SEND intent) and accepts the file to share as a URI supplied through the android.intent.extra.STREAM extra. The activity does not validate or filter the incoming URI before using it as the outgoing attachment, so a caller can pass a file:// URI pointing at the application's own internal storage (for example /data/data/chat.revolt/databases/revolt.db, cached authentication token files, or preferences) and have the app treat that internal file as a user-selected attachment. An attacker who can invoke intents on the victim's device (via ADB access, a co-installed malicious application, or any other route that reaches Android's intent dispatch) can launch ShareTargetActivity with such a URI and cause the victim, on a single channel-selection interaction, to send the internal file to any Stoat channel or user of the attacker's choosing. The composer displays the attachment as \"attachment\" with no filename indication, so the victim has no visible signal that the file being sent is their own internal application data. Consequences include disclosure of the local Stoat database (message history, contact list, cached content), disclosure of authentication tokens permitting full account takeover, and disclosure of any other file readable by the app process.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/19/2026

This vulnerability represents a critical information disclosure flaw in the Stoat for Android application that stems from improper input validation within the ShareTargetActivity component. The issue manifests when the application exports an activity that listens for android.intent.action.SEND intents and processes files through the android.intent.extra.STREAM extra parameter. According to CWE-20, this constitutes a classic input validation vulnerability where untrusted data flows directly into application logic without proper sanitization or verification. The flaw allows any process on the device to invoke this exported activity and pass arbitrary file URIs that point to internal application storage areas.

The technical implementation of this vulnerability exploits Android's intent system by leveraging the fact that ShareTargetActivity accepts file:// URIs without adequate validation mechanisms. When an attacker crafts a malicious intent with a URI pointing to sensitive internal files such as /data/data/chat.revolt/databases/revolt.db or authentication token files, the application processes these URIs directly without verification. This behavior aligns with ATT&CK technique T1203 which describes the exploitation of application vulnerabilities to gain access to sensitive data. The vulnerability exists because the activity fails to implement proper URI validation or path traversal restrictions that would prevent access to files outside the intended sharing scope.

The operational impact of this vulnerability extends beyond simple information disclosure to include full account takeover capabilities. When an attacker successfully invokes the vulnerable activity, they can harvest sensitive application data including local databases containing message histories, contact lists, and cached content. More critically, authentication tokens stored in internal application storage can be exfiltrated, enabling attackers to assume complete control over user accounts. The attack vector requires only that an attacker can invoke intents on the victim's device through various means including ADB access, co-installed malicious applications, or other Android privilege escalation techniques. According to CWE-502, this represents a deserialization vulnerability where untrusted data is processed without proper validation, leading to arbitrary file read capabilities.

The attack execution process involves minimal user interaction requirements, as the victim only needs to select a channel for sharing after the malicious intent is invoked. The application's interface displays attachments simply as "attachment" without any filename indication, providing no visual warning to users about the nature of the file being shared. This lack of user feedback makes the attack particularly insidious and difficult to detect. The vulnerability affects all Android versions where the Stoat application remains installed and exported the vulnerable activity. From a security perspective, this flaw violates fundamental principles of least privilege and input sanitization as defined by OWASP Top Ten and NIST cybersecurity frameworks. The compromise of internal application storage exposes not just database contents but also any other files readable by the application process, potentially including configuration data, cached content, or other sensitive user information.

Mitigation strategies should focus on implementing proper URI validation mechanisms within the ShareTargetActivity component to prevent access to internal file paths. The most effective approach involves validating that incoming URIs point only to external storage locations or explicitly permitted internal directories. Additionally, the exported activity should be restricted to specific applications using intent filters or signature verification mechanisms rather than accepting arbitrary intents from any application on the device. Security hardening measures should include implementing proper access controls and ensuring that sensitive data is not stored in easily accessible internal storage locations without appropriate encryption or access controls. Regular security audits should verify that exported components properly validate all incoming data and implement appropriate sandboxing measures to prevent unauthorized file access.

Responsible

VulnCheck

Reservation

06/25/2026

Disclosure

07/18/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

medium

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!