External risk intelligence

SQL Injection in Android Contacts Provider Allows Local Information Disclosure

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-28576

A SQL injection vulnerability in the Contacts Provider allows unauthorized local information disclosure without requiring user interaction or additional privileges. This could potentially expose sensitive contact data. Confirming relevance and exposure within your environment is advised.

SQL Injection

Halo Surface Signal

Very unlikely · external exposure

1Halo Surface Signal

The vulnerability resides in a local Contacts Provider database component. This component is an internal system service typically isolated within the device's operating system environment and is not designed to be accessed directly from the public internet.

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in the Contacts Provider allows unauthorized access to contact information through a SQL injection flaw. Exploitation does not require user interaction and could potentially lead to the disclosure of sensitive local data.

  • Local contacts can be accessed without permission.
  • Confirms potential access to sensitive user information.
  • Confirm relevance and exposure within the environment.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by targeting the Contacts Provider component, which is accessible without special privileges. Once an attacker gains the necessary exposure, they can trigger the vulnerability through a crafted input to the SQL query. This could lead to the disclosure of sensitive contact information stored in the database.

  • No special access needed.
  • Triggered by SQL injection.
  • Leads to local data exposure.

Live Threat

Current exploitation, exposure, and threat context

SQL injection in the Contacts Provider could allow unauthorized access to the contacts database. This might result in the disclosure of local information without requiring additional execution privileges.

  • Contacts database.
  • Local information disclosure.
  • Unauthorized access to contacts.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in the Contacts Provider could allow unauthorized access to sensitive contact information. Identifying affected devices, confirming exposure, and understanding business criticality are the first steps, likely involving platform and security teams to coordinate with application owners and potentially the vendor for remediation.

  • Platform and security teams should own.
  • Confirm local reachability and critical data.
  • Plan remediation based on risk assessment.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-28576 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability involves SQL injection, which can lead to local information disclosure and is automatically considered relevant for PCI scans.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the Contacts Provider in Android?

The Contacts Provider is a core Android system component that manages the database of contact information. It acts as a central repository, allowing various apps on your device to store, retrieve, and update address book entries. By providing a unified interface, it ensures that different applications can safely interact with your personal contact data while maintaining system-wide consistency.

How does CVE-2026-28576 relate to SQL injection?

CVE-2026-28576 involves a weakness known as CWE-89, or Improper Neutralization of Special Elements used in an SQL Command. This means the Contacts Provider does not properly filter data input, allowing an attacker to inject malicious database commands. These commands trick the system into revealing sensitive contact information that would otherwise be restricted.

Do I need to interact with the device to trigger this vulnerability?

No, user interaction is not required to trigger this vulnerability. The flaw can be exploited without any action from the device owner, such as clicking a link or opening an app. It is important to note that this bug specifically concerns the database component; it is not triggered by standard, legitimate contact lookups performed by authorized applications.

Is my device at risk based on Halo Surface Signal?

Halo Surface Signal indicates that exploitation is very unlikely. While the vulnerability is technically significant, the Contacts Provider is an internal system service. It is designed to be isolated within the device's operating system environment, meaning it is generally not exposed to or reachable from the public internet.

How should I respond to this advisory?

The most effective first step is to prioritize general system maintenance. Coordinate with your platform and security teams to track the availability of security updates from your device manufacturer or vendor. Since this affects an internal system service, focus on identifying devices within your environment and preparing to deploy manufacturer-provided patches as they become available.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished