CVE-2026-5682
Received Received - Intake
Risky Cryptographic Algorithm in Meesho App /api Endpoint

Publication date: 2026-04-06

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in Meesho Online Shopping App up to 27.3 on Android. Affected is an unknown function of the file /api/endpoint of the component com.meesho.supply. Such manipulation leads to risky cryptographic algorithm. The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5682
EUVD
EUVD-2026-19482
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
meesho online_shopping_app to 27.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-310 Cryptographic Issues
CWE-327 The product uses a broken or risky cryptographic algorithm or protocol.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in the Meesho Android app involves the use of weak cryptographic algorithms and lack of integrity protection, which can lead to unauthorized data manipulation and potential data breaches.

Such cryptographic weaknesses violate best practices outlined in security standards and frameworks like OWASP Mobile Top 10 (M5 - Insufficient Cryptography) and OWASP MASVS/MSTG guidelines, which emphasize strong encryption and message integrity.

From a compliance perspective, this vulnerability could hinder adherence to regulations such as GDPR and HIPAA, which require protection of sensitive data through strong encryption and integrity controls to prevent unauthorized access and tampering.

Failure to properly secure sensitive data as demonstrated by this vulnerability may result in non-compliance with these regulations, potentially leading to legal and financial consequences.

Executive Summary

The vulnerability in the Meesho Android app involves insecure cryptographic implementation in the component com.meesho.supply. Specifically, the app uses AES encryption in CBC mode without integrity protection and derives encryption keys using the insecure MD5 hash algorithm without salting or iteration.

This weak cryptographic design allows attackers to tamper with encrypted data undetected, potentially perform padding oracle attacks, and manipulate API parameters. The encrypted payloads are formatted as Base64 encoded initialization vector concatenated with Base64 encoded ciphertext, which can be intercepted and modified by attackers.

The vulnerability is difficult to exploit and requires a high level of complexity, but it has been publicly disclosed and can be used by attackers remotely.

Impact Analysis

This vulnerability can impact users and the application by allowing attackers to manipulate encrypted data without detection, leading to unauthorized changes in API requests.

  • Ciphertext tampering without detection.
  • Potential padding oracle attacks that can reveal sensitive information.
  • Data integrity violations and unauthorized manipulation of API parameters.
  • Replay attacks due to lack of request authentication or nonce validation.
  • Possible exposure of sensitive data through cryptographic weaknesses.
Detection Guidance

This vulnerability can be detected by intercepting and analyzing the encrypted API requests sent by the Meesho Android app, specifically those targeting the /api/endpoint of the com.meesho.supply component. The encrypted payloads are formatted as Base64(IV) concatenated with Base64(ciphertext) separated by a dot.

Using interception tools like Burp Suite, you can capture these encrypted messages and attempt to modify the ciphertext bytes. If the server accepts modified ciphertexts and reveals different error responses, this indicates a padding oracle vulnerability and confirms the presence of the insecure cryptographic implementation.

  • Use Burp Suite or a similar proxy tool to intercept API requests from the Meesho app.
  • Look for requests with parameters formatted as Base64(IV).Base64(ciphertext).
  • Modify ciphertext bytes in intercepted requests and observe server responses for error differences.

There are no specific command-line commands provided, but the detection relies on manual interception and ciphertext manipulation using tools like Burp Suite.

Mitigation Strategies

Immediate mitigation steps involve addressing the insecure cryptographic implementation in the Meesho Android app:

  • Replace the AES-CBC encryption mode with an authenticated encryption mode such as AES-GCM or ChaCha20-Poly1305 to provide confidentiality and integrity.
  • Replace the weak MD5-based key derivation with a secure key derivation function like PBKDF2, Argon2, or bcrypt that includes salting and iteration.
  • Implement message authentication codes (e.g., HMAC) to ensure integrity and authenticity of encrypted data before decryption.
  • Validate message integrity and authenticity on the server side prior to processing any encrypted payloads.

Since the vulnerability is in the app's cryptographic design, patching the app with these improvements is essential. Until then, monitoring and restricting API access may help reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5682. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart