CVE-2026-26959
Published: 20 February 2026
Summary
CVE-2026-26959 is a high-severity Inclusion of Functionality from Untrusted Control Sphere (CWE-829) vulnerability. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Attachment (T1566.001); ranked at the 0.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of untrusted inputs like the ManualAdbPath in configuration files to ensure only legitimate ADB binaries are executed, directly addressing the lack of path integrity checks.
Mandates integrity verification of software binaries prior to execution, preventing the launch of arbitrary untrusted executables specified in the ManualAdbPath setting.
Enforces the use of signed components for executables, blocking the execution of malicious unsigned binaries targeted via crafted App.txt configuration files.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables RCE by blindly executing attacker-controlled binary via malicious ManualAdbPath in config loaded through CLI arg; exploitation relies on social engineering to deliver archive with shortcut + crafted settings file (Spearphishing Attachment) followed by user interaction to launch it (Malicious File).
NVD Description
ADB Explorer is a fluent UI for ADB on Windows. Versions 0.9.26020 and below fail to validate the integrity or authenticity of the ADB binary path specified in the ManualAdbPath setting before executing it, allowing arbitrary code execution with the…
more
privileges of the current user. An attacker can exploit this by crafting a malicious App.txt settings file that points ManualAdbPath to an arbitrary executable, then convincing a victim to launch the application with a command-line argument directing it to the malicious configuration directory. This vulnerability could be leveraged through social engineering tactics, such as distributing a shortcut bundled with a crafted settings file in an archive, resulting in RCE upon application startup. Thus issue has been fixed in version 0.9.26021.
Deeper analysisAI
CVE-2026-26959 affects ADB Explorer, a Windows application providing a graphical user interface for the Android Debug Bridge (ADB). Versions 0.9.26020 and prior fail to validate the integrity or authenticity of the ADB binary path specified in the ManualAdbPath setting within the application's configuration before executing it. This flaw, classified under CWE-829 (Inclusion of Functionality from Untrusted Control Sphere), enables arbitrary code execution with the privileges of the current user, as rated 7.8 on the CVSS v3.1 scale (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
An attacker can exploit this vulnerability by creating a malicious App.txt settings file that sets ManualAdbPath to point to an arbitrary executable under their control. The attacker then convinces a victim to launch ADB Explorer using a command-line argument that directs the application to load from a malicious configuration directory. This can be facilitated through social engineering, such as distributing an archive containing a shortcut bundled with the crafted settings file, leading to remote code execution (RCE) upon application startup by any local user who interacts with the lure.
The issue has been addressed in ADB Explorer version 0.9.26021. Official mitigation details are available in the GitHub security advisory (GHSA-gcgv-2jq7-74rp), the release notes for v0.9.26021, and the fixing commit (1b9fed20e875f5e74fd04e9889402f969c2d34e4), which presumably introduce validation of the ManualAdbPath to prevent execution of untrusted binaries. Security practitioners should advise users to update to the patched version and avoid loading configurations from untrusted sources.
Details
- CWE(s)