CVE-2026-13514
Received Received - Intake

Backup File Exposure in Chess Play and Learn App

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: VulDB

Description
A weakness has been identified in Chess Play and Learn App up to 4.9.42 on Android. This issue affects some unknown processing of the file AndroidManifest.xml of the component com.chess. This manipulation causes exposure of backup file to an unauthorized control sphere. It is feasible to perform the attack on the physical device. The exploit has been made available to the public and could be used for attacks. Upgrading the affected component is advised. The vendor was informed early about this issue. They confirmed the existence and that they will address it. Furthermore, they explain that their bug bounty "explicitly excludes physical-access attacks". However, they appreciate the quality of the report and aim at making a goodwill payment to the researcher.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-13514
EUVD
EUVD-2026-40011

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-530 A backup file is stored in a directory or archive that is made accessible to unauthorized actors.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-13514 is a security vulnerability in the Chess Play and Learn Android app (up to version 4.9.42) caused by improper configuration of the AndroidManifest.xml file. Specifically, the app had the setting android:allowBackup="true" enabled, which allows attackers with physical access to the device and USB debugging enabled to extract the app's backup data using ADB without needing root access.

Within the extracted backup, sensitive information such as a plaintext Google OAuth JWT token was found. This token contains user identity details including email, name, profile picture URL, and OAuth identifiers. The exposure of this token can lead to identity theft or session abuse.

The vulnerability arises from the combination of allowing backups and storing sensitive tokens in plaintext within the app's shared preferences.

Impact Analysis

This vulnerability can impact users by exposing sensitive authentication tokens if an attacker gains physical access to their device with USB debugging enabled.

An attacker could extract the backup data and retrieve the plaintext Google OAuth JWT token, which contains personal identity information such as email and profile details.

With this token, attackers could potentially perform identity theft, abuse user sessions, or carry out further OAuth-related attacks, compromising the user's account security.

Detection Guidance

This vulnerability can be detected by checking if the Chess Play and Learn App on an Android device has the AndroidManifest.xml file configured with android:allowBackup="true". This setting allows backup of the app data via ADB.

To detect the vulnerability, you can use ADB commands on a physical device with USB debugging enabled to attempt to create a backup of the app data and inspect it for sensitive information such as plaintext OAuth tokens.

  • Connect the Android device via USB and ensure USB debugging is enabled.
  • Run the command: adb backup -noapk com.chess
  • Extract the backup file and inspect the shared_preferences directory for plaintext OAuth JWT tokens or other sensitive data.
Mitigation Strategies

Immediate mitigation steps include upgrading the Chess Play and Learn App to a version where this vulnerability is fixed.

Additional recommended actions are to disable ADB backup for the app by setting android:allowBackup="false" in the AndroidManifest.xml, exclude sensitive files from backups, and avoid storing sensitive tokens in plaintext.

Using EncryptedSharedPreferences or storing tokens securely in the Android Keystore can further protect sensitive information.

Compliance Impact

The vulnerability exposes sensitive user information such as Google OAuth tokens in plaintext, which can lead to identity theft, session abuse, or further OAuth-related attacks. This exposure of personal and authentication data could result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

Specifically, the improper configuration allowing backup extraction of sensitive tokens without root access increases the risk of unauthorized data disclosure, potentially violating principles of data confidentiality and integrity mandated by these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13514. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart