CVE-2026-5452
Received Received - Intake
Hardcoded Cryptographic Key in UCC CampusConnect Android App

Publication date: 2026-04-03

Last updated on: 2026-04-03

Assigner: VulDB

Description
A flaw has been found in UCC CampusConnect App up to 14.3.5 on Android. This vulnerability affects unknown code of the file campusconnect/BuildConfig.java of the component campusconnect.ucc. This manipulation causes use of hard-coded cryptographic key . The attack can only be executed locally. The exploit has been published and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-03
Generated
2026-06-16
AI Q&A
2026-04-03
EPSS Evaluated
2026-06-14
NVD
CVE-2026-5452
EUVD
EUVD-2026-18577
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-321 The product uses a hard-coded, unchangeable cryptographic key.
CWE-320 Key Management Errors
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a flaw found in the UCC CampusConnect App up to version 14.3.5 on Android. It involves the use of a hard-coded cryptographic key within the file campusconnect/BuildConfig.java of the campusconnect.ucc component. Because the cryptographic key is hard-coded, it can be manipulated or exploited.

The attack exploiting this vulnerability can only be executed locally, meaning an attacker needs local access to the device or app environment to carry out the exploit. Additionally, the exploit has been published and may be used by attackers.

Impact Analysis

The impact of this vulnerability is limited due to its low CVSS scores (v3.1 BaseScore 3.3) and the requirement for local access to exploit it.

Specifically, the vulnerability allows partial confidentiality compromise (C:P) but does not affect integrity or availability. This means that sensitive information protected by the cryptographic key could potentially be exposed if an attacker has local access.

However, since the attack requires local access and the exploit is not remotely executable, the overall risk to users is relatively low unless an attacker already has physical or local control of the device.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5452. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart