CVE-2026-4218
Information Disclosure via AUTH_KEY Manipulation in myAEDES App
Publication date: 2026-03-16
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-4218 is an information disclosure vulnerability in the myAEDES App up to version 1.18.4 on Android. It exists in the file aedes/me/beta/utils/EngageBayUtils.java within the component aedes.me.beta. The vulnerability occurs due to manipulation of the argument AUTH_KEY, which leads to unauthorized exposure of sensitive information.
The attack requires local access to the device and is considered difficult to perform. The exploit is publicly available, and the vendor was notified but did not respond.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive user information. An attacker who gains local access and reverse engineers the app can extract a hardcoded EngageBay API key.
Using this key, the attacker can access EngageBay APIs and retrieve sensitive data such as user names, email addresses, phone numbers, app version details, usage behavior including report generation records and tags, and other custom fields.
Although the vulnerability has a low CVSS score indicating limited impact, it compromises confidentiality and may expose personal and usage data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves manipulation of the AUTH_KEY argument within the myAEDES App on Android and requires local access. Detection would primarily involve analyzing the application binary or runtime behavior on the device.'}, {'type': 'paragraph', 'content': 'One approach is to reverse engineer or inspect the APK to locate the hardcoded EngageBay API key in the file aedes/me/beta/utils/EngageBayUtils.java.'}, {'type': 'paragraph', 'content': "Commands that could assist in detection include using tools like 'strings' or 'grep' on the APK or decompiled source to search for the AUTH_KEY or EngageBay API key."}, {'type': 'list_item', 'content': "Use 'apktool' to decompile the APK: apktool d myAEDES.apk"}, {'type': 'list_item', 'content': "Search for the AUTH_KEY or EngageBay key in the decompiled files: grep -r 'AUTH_KEY' ./myAEDES/"}, {'type': 'list_item', 'content': "Use 'strings' on the APK to find embedded keys: strings myAEDES.apk | grep -i 'engagebay'"}, {'type': 'paragraph', 'content': 'Network detection is limited since the attack requires local access and the vulnerability is not exploitable remotely.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing the affected myAEDES App component or the entire app with an alternative that does not contain the vulnerability.
Since the vulnerability arises from a hardcoded API key and manipulation of AUTH_KEY, removing or rotating the exposed API key and updating the app to a version without this issue is recommended.
Because the vendor has not provided any patches or countermeasures, users should avoid using the affected versions (up to 1.18.4) and monitor for any updates or advisories.
Limiting local access to trusted users and devices can reduce the risk of exploitation.