Low severity1.8NVD Advisory· Published Jun 12, 2026· Updated Jun 12, 2026

CVE-2026-12065

Description

Groww Android App up to 20260805 has an internal WebView activity that can load arbitrary URLs via ADB, enabling UI redressing and phishing, with weak app-lock enforcement.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Groww Android App up to 20260805 has an internal WebView activity that can load arbitrary URLs via ADB, enabling UI redressing and phishing, with weak app-lock enforcement.

Vulnerability

The Groww Android App (com.nextbillion.groww) versions up to 20260805 contain an improper authorization vulnerability in the WebView URL handler. An internal WebView activity (.genesys.common.activities.WebActivity) can be invoked to load arbitrary external URLs without proper validation. Additionally, the client-side application lock is weakly enforced, allowing navigation into internal UI flows without passcode re-validation after activity invocation [1].

Exploitation

An attacker requires physical or debugging access to the device with an ADB-enabled environment and an existing authenticated user session. The attack complexity is high, as indicated by the CVSS score. The exploit involves using ADB commands to start the WebView activity with a crafted URL parameter, e.g., adb shell am start -n com.nextbillion.groww/.genesys.common.activities.WebActivity --es url "https://example.com". This renders externally controlled content inside the application WebView, and JavaScript execution within the trusted app context is possible [1]. Proof-of-concept videos are available [2].

Impact

Successful exploitation allows an attacker to perform UI redressing, phishing-style abuse, and user deception within the trusted application context. Outbound communication to external infrastructure can be established. However, no server-side authentication bypass or direct account compromise was identified during testing [1]. The impact is limited to client-side manipulation and user deception.

Mitigation

As of the publication date (2026-06-12), no official fix has been released by the vendor. The vendor was contacted early about this disclosure [1]. Users should restrict ADB access to trusted environments, avoid enabling developer options on production devices, and ensure the app is updated once a patch becomes available. No workaround is provided in the available references.

References

AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Honestcorrupt/Groww Android Application Unsafe Webview URL Handling Weak Client Side App Lock Enforcementreferences
Groww/Growwllm-fuzzy
Range: <=20260805

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"Insufficient validation of externally supplied WebView URLs and weak client-side app-lock enforcement between activity transitions."

Attack vector

An attacker with physical or ADB access to a device that has an authenticated Groww session can use `adb shell am start` to launch the internal `WebActivity` and pass an arbitrary URL via the `--es url` extra. The WebView renders the attacker-controlled content, including JavaScript, which can communicate outbound to external infrastructure (e.g., a Beeceptor mock server). The device must be ADB-enabled and the user must already be logged into the app [ref_id=1].

Affected code

The internal WebView activity `com.nextbillion.groww/.genesys.common.activities.WebActivity` loads arbitrary external URLs when invoked via ADB, and the client-side app-lock is not re-validated after activity transitions [ref_id=1].

What the fix does

The advisory recommends restricting WebView URL loading to trusted allowlisted domains, enforcing passcode validation before sensitive flows, and hardening internal activity navigation validation. No patch is available in the bundle, but applying these mitigations would prevent arbitrary external URLs from being rendered inside the app's WebView and close the app-lock bypass [ref_id=1].

Preconditions

networkPhysical or debugging (ADB) access to the Android device
configDevice must be ADB-enabled
authExisting authenticated user session in the Groww app

Reproduction

1. Connect an ADB-enabled device with an active Groww session. 2. Run `adb shell am start -n com.nextbillion.groww/.genesys.common.activities.WebActivity` – observe that the app navigates into internal UI without triggering the app-lock. 3. Run `adb shell am start -n com.nextbillion.groww/.genesys.common.activities.WebActivity --es url "https://example.com"` – confirm the external page renders inside the WebView. 4. Load a JavaScript-containing page and verify outbound requests carry the header `X-Requested-With: com.nextbillion.groww` [ref_id=1].

Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

Severity

LowCVSS v3.1

1.8/ 10

CVSS v40.3

CVSS:4.0/AV:P/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Physical
Complexity: High
Privileges: Low
User interaction: None
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Affected

Source repos: github.com/honestcorrupt/CVE-req-Groww-Android-Application-Unsafe-WebView-URL-Handling-Weak-Client-Side-App-Lock-Enforcement
github.com/honestcorrupt/Groww-Android-Application-Unsafe-WebView-URL-Handling-Weak-Client-Side-App-Lock-Enforcement.git

VYPR risk score

Composite of severity, exploitation, and reach.

0.12low

cvss	0.117
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

No CWEs mapped.

CVE ID

CVE-2026-12065