CVE-2026-9222
Received Received - Intake
Authentication Bypass via Password Hash in Setracker2 Android App

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: ICS-CERT

Description
Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior only require the password hash when authenticating with backend services from the client. This could allow an attacker, who knows the hash, to authenticate and gain full access.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-9222
EUVD
EUVD-2026-39598
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tgelec setracker2 to 3.1.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-836 The product records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the Setracker2 Android Companion App versions 3.1.5 and prior. The app only requires the password hash for authentication with backend services. This means that if an attacker knows the password hash, they can authenticate as a legitimate user and gain full access to the system.

Impact Analysis

This vulnerability can allow an attacker to bypass normal authentication controls by using a known password hash. As a result, the attacker can gain full access to the backend services, potentially leading to unauthorized data access, data manipulation, or other malicious activities.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9222. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart