CVE-2026-49189
Analyzed Analyzed - Analysis Complete
Broadcast Receiver Privilege Escalation in Android System

Publication date: 2026-06-04

Last updated on: 2026-06-04

Assigner: 8fc372e3-d9c5-46e4-9410-38469745c639

Description
Unchecked public access permissions on a core Broadcast Receiver allow unauthorized local software components to invoke administrative operations.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-04
Generated
2026-06-24
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-23
NVD
CVE-2026-49189
EUVD
EUVD-2026-34208
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
acer connect_m6e_5g_firmware to m6e_ai_1.00.000019 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves unchecked public access permissions on a core Broadcast Receiver, which allows unauthorized local software components to invoke administrative operations.

Impact Analysis

The vulnerability can allow unauthorized local software components to perform administrative operations, potentially leading to unauthorized control or manipulation of the affected system.

Compliance Impact

The vulnerability allows unauthorized local software components to invoke administrative operations due to unchecked public access permissions on a core Broadcast Receiver.

This unauthorized access and potential for privilege escalation could lead to exposure or manipulation of sensitive data, which may impact compliance with data protection regulations such as GDPR and HIPAA.

Specifically, the exploitation of this vulnerability could result in unauthorized access to user data or device configurations, potentially violating requirements for data confidentiality, integrity, and access controls mandated by these standards.

Therefore, until patched, affected devices may not meet the security controls required to comply with such regulations.

Detection Guidance

This vulnerability involves unchecked public access permissions on a core Broadcast Receiver allowing unauthorized local software components to invoke administrative operations.

While specific detection commands are not provided, monitoring for unusual administrative operations or unauthorized local software invoking such operations on the affected device (Acer Connect M6E 5G Portable WiFi Router) could help identify exploitation attempts.

Additionally, checking for firmware versions M6E_AI_1.00.000019 or earlier can help identify vulnerable devices.

Mitigation Strategies
  • Install the forthcoming comprehensive firmware update from Acer as soon as it is released.
  • Secure devices with strong administrative passwords.
  • Restrict IPv6 traffic where possible to reduce attack surface.

These steps are recommended to mitigate the risk of exploitation until the firmware update is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49189. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart