CWE-926: Improper Export of Android Application Components
The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.
Last updated
Overview
The attacks and consequences of improperly exporting a component may depend on the exported component: If access to an exported Activity is not restricted, any application will be able to launch the activity. This may allow a malicious application to gain access to sensitive information, modify the internal state of the application, or trick a user into interacting with the victim application while believing they are still interacting with the malicious application. If access to an exported Service is not restricted, any application may start and bind to the Service. Depending on the exposed functionality, this may allow a malicious application to perform unauthorized actions, gain access to sensitive information, or corrupt the internal state of the application. If access to a Content Provider is not restricted to only the expected applications, then malicious applications might be able to access the sensitive data. Note that in Android before 4.2, the Content Provider is automatically exported unless it has been explicitly declared as NOT exported.
Background
There are three types of components that can be exported in an Android application. An Activity is an application component that provides a UI for users to interact with. A typical application will have multiple Activity screens that perform different functions, such as a main Activity screen and a separate settings Activity screen. A Service is an application component that is started by another component to execute an operation in the background, even after the invoking component is terminated. Services do not have a UI component visible to the user. The Content Provider mechanism can be used to share data with other applications or internally within the same application.
Real-world CVEs
81 recorded CVEs are caused by CWE-926 (Improper Export of Android Application Components). The highest-severity and most recent are shown first. 6 new CWE-926 CVEs have been recorded so far in 2026 (50 in 2025).
- CVE-2025-5344
Exposed AIDL service allowing for tampering of system secure settings in Bluebird kiosk application
High · CVSS 8.5 · EPSS 4th2025-07-17 - CVE-2024-13917High · CVSS 8.3 · EPSS 8th2025-05-30
- CVE-2025-68713High · CVSS 8.0 · EPSS 20th2026-06-15
- CVE-2025-32347High · CVSS 7.8 · EPSS 0th2025-09-04
- CVE-2021-25400High · CVSS 7.8 · EPSS 14th2021-06-11
- CVE-2025-15464
KL-001-2026-01: yintibao Fun Print Mobile Unauthorized Access via Context Hijacking
High · CVSS 7.5 · EPSS 37th2026-01-08 - CVE-2026-54318
Home Assistant: Exported BroadcastReceiver allows local apps to spoof device location
High · CVSS 7.1 · EPSS 2th2026-06-23 - CVE-2023-41960High · CVSS 7.1 · EPSS 8th2023-10-25
- CVE-2021-25388High · CVSS 7.1 · EPSS 0th2021-06-11
- CVE-2026-3291
Samsung Print Service Plugin – Potential Information Disclosure
Medium · CVSS 6.9 · EPSS 1th2026-05-06 - CVE-2024-13916
Exposure of Applications' Encryption PINs in Kruger&Matz AppLock
Medium · CVSS 6.9 · EPSS 7th2025-05-30 - CVE-2024-13915
Unrestricted Access to Exported Service in com.pri.factorytest
Medium · CVSS 6.9 · EPSS 8th2025-05-30
Showing 12 of 81 recorded CWE-926 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-926 vulnerabilitiesCommon consequences
What can happen when CWE-926 is exploited.
Unexpected State, DoS: Crash, Exit, or Restart, DoS: Instability, Varies by Context
Affects: Availability, Integrity
Other applications, possibly untrusted, can launch the Activity.
Unexpected State, Gain Privileges or Assume Identity, DoS: Crash, Exit, or Restart, DoS: Instability, Varies by Context
Affects: Availability, Integrity
Other applications, possibly untrusted, can bind to the Service.
Read Application Data, Modify Application Data
Affects: Confidentiality, Integrity
Other applications, possibly untrusted, can read or modify the data that is offered by the Content Provider.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Technologies
How to prevent it
Practical mitigations for CWE-926, grouped by where in the lifecycle they apply.
If they do not need to be shared by other applications, explicitly mark components with android:exported="false" in the application manifest.
If you only intend to use exported components between related apps under your control, use android:protectionLevel="signature" in the xml manifest to restrict access to applications signed by you.
Limit Content Provider permissions (read/write) as appropriate.
Limit Content Provider permissions (read/write) as appropriate.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
This application is exporting an activity and a service in its manifest.xml:
Vulnerable example
<activity android:name="com.example.vulnerableApp.mainScreen">Because these components have intent filters but have not explicitly set 'android:exported=false' elsewhere in the manifest, they are automatically exported so that any other application can launch them. This may lead to unintended behavior or exploits.
This application has created a content provider to enable custom search suggestions within the application:
Vulnerable example
<provider>Because this content provider is only intended to be used within the application, it does not need to be exported. However, in Android before 4.2, it is automatically exported thus potentially allowing malicious applications to access sensitive information.
Frequently asked questions
Common questions about CWE-926.
- What is CWE-926?
- The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.
- What CVEs are caused by CWE-926?
- 81 recorded CVEs are attributed to CWE-926, including CVE-2025-5344, CVE-2024-13917, CVE-2025-68713.
- How do you prevent CWE-926?
- If they do not need to be shared by other applications, explicitly mark components with android:exported="false" in the application manifest.
- How is CWE-926 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-926?
- Exploiting CWE-926 can lead to: Unexpected State, DoS: Crash, Exit, or Restart, DoS: Instability, Varies by Context, Gain Privileges or Assume Identity, Read Application Data.
- Is CWE-926 actively exploited?
- 81 recorded CVEs are caused by CWE-926; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-926) (opens in a new tab)
- CWE-926 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-926
Get alerted the moment a new CWE-926 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.