CVE-2026-5452
Hardcoded Cryptographic Key in UCC CampusConnect Android App
Publication date: 2026-04-03
Last updated on: 2026-04-03
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-320 | Key Management Errors |
| CWE-321 | The product uses a hard-coded, unchangeable cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a flaw found in the UCC CampusConnect App up to version 14.3.5 on Android. It involves the use of a hard-coded cryptographic key within the file campusconnect/BuildConfig.java of the campusconnect.ucc component. Because the cryptographic key is hard-coded, it can be manipulated or exploited.
The attack exploiting this vulnerability can only be executed locally, meaning an attacker needs local access to the device or app environment to carry out the exploit. Additionally, the exploit has been published and may be used by attackers.
How can this vulnerability impact me? :
The impact of this vulnerability is limited due to its low CVSS scores (v3.1 BaseScore 3.3) and the requirement for local access to exploit it.
Specifically, the vulnerability allows partial confidentiality compromise (C:P) but does not affect integrity or availability. This means that sensitive information protected by the cryptographic key could potentially be exposed if an attacker has local access.
However, since the attack requires local access and the exploit is not remotely executable, the overall risk to users is relatively low unless an attacker already has physical or local control of the device.