Cyber Resilience

CVE-2026-22070

High

Published: 30 April 2026

Published
30 April 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:H
EPSS Score 0.0021 11.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-22070 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Oppo Coloros Assistant. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked at the 11.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-22070 is a file path traversal vulnerability (CWE-23) in ColorOS Assistant, caused by an unauthenticated start-download channel that allows attackers to traverse intended file paths. This issue affects the ColorOS Assistant component, with the vulnerability published on 2026-04-30 and assigned a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:H).

A local attacker with no privileges can exploit this vulnerability with low complexity if a user interacts, such as by triggering the start-download channel. Successful exploitation changes the scope and results in low integrity impact, potentially allowing limited file modifications, alongside high availability impact that could disrupt system services or cause denial of service.

The Oppo security advisory at https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-2049764240746881024 provides further details on mitigation and patches.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

ColorOS Assistant has an unauthenticated start-download channel, leading to file path traversal.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Path traversal in unauthenticated download channel directly enables arbitrary file writes (tool placement and stored data manipulation) leading to limited modifications and DoS.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-39305Shared CWE-22
CVE-2024-54461Shared CWE-22, CWE-23
CVE-2026-33645Shared CWE-22
CVE-2026-27625Shared CWE-22, CWE-23
CVE-2024-54462Shared CWE-22, CWE-23
CVE-2024-11343Shared CWE-22
CVE-2025-27395Shared CWE-22
CVE-2026-26065Shared CWE-22
CVE-2026-27699Shared CWE-22
CVE-2026-20660Shared CWE-22

Affected Assets

oppo
coloros assistant
1.4.26

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of inputs to the unauthenticated start-download channel to block path traversal attempts.

prevent

Restricts or eliminates unauthenticated actions like the start-download channel that enable local attackers to perform path traversal.

prevent

Mandates timely identification, reporting, and correction of the path traversal flaw in ColorOS Assistant to prevent exploitation.

References