Cyber Posture

CVE-2026-22070

High

Published: 30 April 2026

Published
30 April 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:H
EPSS Score 0.0003 8.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22070 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Oppo Coloros Assistant. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked at the 8.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Ingress Tool Transfer (T1105) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation of inputs to the unauthenticated start-download channel to block path traversal attempts.

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Restricts or eliminates unauthenticated actions like the start-download channel that enable local attackers to perform path traversal.

SI-2 Flaw Remediation good match
prevent

Mandates timely identification, reporting, and correction of the path traversal flaw in ColorOS Assistant to prevent exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
attack.mitre.org →
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
attack.mitre.org →
Why these techniques?

Path traversal in unauthenticated download channel directly enables arbitrary file writes (tool placement and stored data manipulation) leading to limited modifications and DoS.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

ColorOS Assistant has an unauthenticated start-download channel, leading to file path traversal.

Deeper analysisAI

CVE-2026-22070 is a file path traversal vulnerability (CWE-23) in ColorOS Assistant, caused by an unauthenticated start-download channel that allows attackers to traverse intended file paths. This issue affects the ColorOS Assistant component, with the vulnerability published on 2026-04-30 and assigned a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:H).

A local attacker with no privileges can exploit this vulnerability with low complexity if a user interacts, such as by triggering the start-download channel. Successful exploitation changes the scope and results in low integrity impact, potentially allowing limited file modifications, alongside high availability impact that could disrupt system services or cause denial of service.

The Oppo security advisory at https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-2049764240746881024 provides further details on mitigation and patches.

Details

CWE(s)
CWE-23CWE-22

Affected Products

oppo
coloros assistant
1.4.26

CVEs Like This One

CVE-2026-33236Shared CWE-22
CVE-2026-39305Shared CWE-22
CVE-2024-54461Shared CWE-22, CWE-23
CVE-2026-27625Shared CWE-22, CWE-23
CVE-2024-54462Shared CWE-22, CWE-23
CVE-2026-33645Shared CWE-22
CVE-2026-26065Shared CWE-22
CVE-2025-27395Shared CWE-22
CVE-2025-25371Shared CWE-22
CVE-2026-21659Shared CWE-22, CWE-23

References