CVE-2026-4218
Awaiting Analysis Awaiting Analysis - Queue
Information Disclosure via AUTH_KEY Manipulation in myAEDES App

Publication date: 2026-03-16

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was detected in myAEDES App up to 1.18.4 on Android. Affected is an unknown function of the file aedes/me/beta/utils/EngageBayUtils.java of the component aedes.me.beta. Performing a manipulation of the argument AUTH_KEY results in information disclosure. The attack is only possible with local access. The attack's complexity is rated as high. The exploitability is told to be difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4218
EUVD
EUVD-2026-12339
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-4218 is an information disclosure vulnerability in the myAEDES App up to version 1.18.4 on Android. It exists in the file aedes/me/beta/utils/EngageBayUtils.java within the component aedes.me.beta. The vulnerability occurs due to manipulation of the argument AUTH_KEY, which leads to unauthorized exposure of sensitive information.

The attack requires local access to the device and is considered difficult to perform. The exploit is publicly available, and the vendor was notified but did not respond.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive user information. An attacker who gains local access and reverse engineers the app can extract a hardcoded EngageBay API key.

Using this key, the attacker can access EngageBay APIs and retrieve sensitive data such as user names, email addresses, phone numbers, app version details, usage behavior including report generation records and tags, and other custom fields.

Although the vulnerability has a low CVSS score indicating limited impact, it compromises confidentiality and may expose personal and usage data.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves manipulation of the AUTH_KEY argument within the myAEDES App on Android and requires local access. Detection would primarily involve analyzing the application binary or runtime behavior on the device.'}, {'type': 'paragraph', 'content': 'One approach is to reverse engineer or inspect the APK to locate the hardcoded EngageBay API key in the file aedes/me/beta/utils/EngageBayUtils.java.'}, {'type': 'paragraph', 'content': "Commands that could assist in detection include using tools like 'strings' or 'grep' on the APK or decompiled source to search for the AUTH_KEY or EngageBay API key."}, {'type': 'list_item', 'content': "Use 'apktool' to decompile the APK: apktool d myAEDES.apk"}, {'type': 'list_item', 'content': "Search for the AUTH_KEY or EngageBay key in the decompiled files: grep -r 'AUTH_KEY' ./myAEDES/"}, {'type': 'list_item', 'content': "Use 'strings' on the APK to find embedded keys: strings myAEDES.apk | grep -i 'engagebay'"}, {'type': 'paragraph', 'content': 'Network detection is limited since the attack requires local access and the vulnerability is not exploitable remotely.'}] [1, 2]

Mitigation Strategies

Immediate mitigation steps include replacing the affected myAEDES App component or the entire app with an alternative that does not contain the vulnerability.

Since the vulnerability arises from a hardcoded API key and manipulation of AUTH_KEY, removing or rotating the exposed API key and updating the app to a version without this issue is recommended.

Because the vendor has not provided any patches or countermeasures, users should avoid using the affected versions (up to 1.18.4) and monitor for any updates or advisories.

Limiting local access to trusted users and devices can reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4218. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart