CVE-2026-9221
Deferred Deferred - Pending Action

Setracker2 Android App Session ID Exposure via MD5 Signature

Vulnerability report for CVE-2026-9221, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-26

Last updated on: 2026-06-30

Assigner: ICS-CERT

Description

The Setracker2 Android Companion App (com.tgelec.setracker) versions 3.1.5 and earlier uses MD5 to generate a request signature for authenticating communications between the mobile client and the backend REST API. Attackers could potentially reverse the signature to recover the session ID. With the session ID exposed, an attacker could impersonate the legitimate user and issue authenticated API requests.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-26
Last Modified
2026-06-30
Generated
2026-07-16
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
tgelec setracker2 to 3.1.6 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-327 The product uses a broken or risky cryptographic algorithm or protocol.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Setracker2 Android Companion App versions 3.1.5 and earlier uses the MD5 hashing algorithm to generate a request signature for authenticating communications between the mobile client and the backend REST API.

Because MD5 is cryptographically weak, attackers could potentially reverse the signature to recover the session ID.

With the session ID exposed, an attacker could impersonate the legitimate user and issue authenticated API requests.

Compliance Impact

The vulnerability in the Setracker2 Android Companion App allows attackers to recover session IDs by reversing MD5-based request signatures, enabling impersonation of legitimate users and unauthorized API access.

Such unauthorized access to user sessions could lead to exposure of personal or sensitive data, which may result in non-compliance with data protection regulations such as GDPR or HIPAA that require safeguarding user data and preventing unauthorized access.

However, the provided information does not explicitly discuss the impact of this vulnerability on compliance with these standards or any regulatory consequences.

Mitigation Strategies

The vulnerability involves the use of MD5 to generate request signatures, which can be reversed to recover session IDs and allow impersonation of legitimate users.

Since no specific remediations or patches are mentioned, immediate steps should include limiting exposure of the Setracker2 app communications, monitoring for suspicious API requests, and contacting the vendor or supplier for guidance.

Impact Analysis

This vulnerability can allow attackers to impersonate legitimate users by recovering their session IDs.

As a result, attackers could issue authenticated API requests on behalf of the user without needing their credentials.

This could lead to unauthorized access to user data or actions within the application.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9221. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart