Improper Authorization in Handler for Custom URL Scheme Affecting @mobilenext/mobile-mcp package, versions <0.0.50
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-MOBILENEXTMOBILEMCP-15918166
- published6 Apr 2026
- disclosed4 Apr 2026
- creditManthan Ghasadiya
Introduced: 4 Apr 2026
NewCVE-2026-35394 (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade @mobilenext/mobile-mcp to version 0.0.50 or higher.
Overview
@mobilenext/mobile-mcp is a Mobile MCP
Affected versions of this package are vulnerable to Improper Authorization in Handler for Custom URL Scheme via the mobile_open_url function. An attacker can execute arbitrary Android intents, such as initiating phone calls, sending SMS messages, accessing content providers, or triggering app installations by supplying specially crafted URLs.
Note: This is only exploitable if the system is operated by an AI agent that can be manipulated through prompt injection.