CVE-2026-20994

Vulnerability

Overview

CVE-2026-20994 is an open redirect vulnerability in the Samsung Account component, affecting versions prior to 15.5.01.1 [1]. The bug allows a malicious application or process on the device to manipulate a URL redirection mechanism within the account management flow, leading to the potential exposure of an access token [1].

Exploitation

Requirements

Exploitation requires local access to the device, meaning the attacker must have installed a malicious app or otherwise gained the ability to execute code or send intents on the system [1]. No user interaction beyond the attacker’s own actions is described; the attacker can trigger the redirection without needing elevated permissions beyond normal app sandbox restrictions [1].

Impact

If successful, the attacker can retrieve the victim’s Samsung Account access token [1]. This token could then be used to impersonate the user and access account-related services, including personal data or cloud services tied to the Samsung Account, within the scope of the token’s privileges [1].

Mitigation

Samsung has patched the issue in Samsung Account version 15.5.01.1 [1]. Users should ensure their Samsung Account app is updated to at least this version via the Galaxy Store or system updates [1]. No workarounds beyond updating have been documented.