CVE CyberSecurity Database News

CVE-2025-26437 - How a Missing Permission Check in CredentialManagerService Lets Apps Steal Your Saved Credentials

Poster -

In June 2025, the security community flagged a new serious vulnerability: CVE-2025-26437. Found deep inside Android’s CredentialManagerService, this bug makes it possible for any app on an affected device to grab your saved passwords or credentials—without your knowledge or any special privileges.

In this post, we’ll break down what CVE-2025-26437 is, how it works, include code snippets, add reliable references, and show how an attacker could exploit it. While there are no reports (yet) of mass exploitation, this bug has all the ingredients for a devastating attack, and you should know how it works.

Location

The vulnerability lives inside CredentialManagerService.java, in a class called CredentialManagerServiceStub. This service manages things like saved website/app logins—so it is a high-value target.

What Went Wrong?

When a caller (like an app) asked for the list of candidate credentials saved on your device, the service was supposed to check if the app had the right permissions before providing anything. But because of a missing permission check in a critical method, literally any app could request and get this sensitive info—no user interaction or extra privilege required.

The Vulnerable Code (Simplified)

Below is a simplified snippet that shows the problem in CredentialManagerServiceStub.

// CredentialManagerService.java
public class CredentialManagerServiceStub extends ICredentialManagerService.Stub {

    // Vulnerable method
    @Override
    public void getCandidateCredentials(String userId, ICredentialsCallback callback) {
        // [1] Missing permission check here!
        List<Credential> candidates = mStore.getCredentials(userId);

        // Return the results to the calling app
        callback.onResult(candidates);
    }
}

The comment at [1] highlights where a permission check is missing.

- Any process with access to the service can invoke getCandidateCredentials() WITHOUT having the special permission (like android.permission.CREDENTIAL_MANAGER_QUERY).

Malicious App Gets on Device: No special permissions needed. Any installed app can try this.

2. It Finds the Service: The app connects to CredentialManagerService using appropriate binder calls.
3. It Requests Credentials: Calls the vulnerable method to get all candidate credentials for a given user.
4. Credentials Returned: The app receives a list of usernames, passwords, or other sensitive info, ready for exfiltration.

An attacker’s app could use code like this to pull the credentials

// Example exploit snippet
ICredentialManagerService cms = ICredentialManagerService.Stub.asInterface(
    ServiceManager.getService("credential_manager"));

cms.getCandidateCredentials("", new ICredentialsCallback.Stub() {
    public void onResult(List<Credential> creds) {
        for (Credential c : creds) {
            Log.d("Stealer", "Got credential: " + c.toString());
        }
    }
});

How Was It Fixed?

Security engineers patched the problem by adding a strict permission check before any app can get to your credentials. Now, only apps with clear user permission can access this interface.

Patched code looks like

@Override
public void getCandidateCredentials(String userId, ICredentialsCallback callback) {
    if (getCallingPermission() != PERMISSION_CREDENTIAL_MANAGER_QUERY) {
        throw new SecurityException("Permission denied!");
    }
    List<Credential> candidates = mStore.getCredentials(userId);
    callback.onResult(candidates);
}

Official References

- Android Security Bulletin (June 2025)
- CVE Details page for CVE-2025-26437
- AOSP Commit Fixing the Bug

Conclusion and Mitigation

CVE-2025-26437 is a stark reminder that even simple mistakes, like forgetting a single permission check, can have massive security impacts on millions. If your device is relatively new, make sure it’s updated to the latest security patch. If you’re a developer, double-check all security and permission code—especially when user credentials are involved.

Stay updated. Stay safe!

*This is an exclusive, simplified walkthrough. All code and analysis are for educational purposes only.*

Timeline

Published on: 09/04/2025 18:15:42 UTC
Last modified on: 09/08/2025 14:16:07 UTC