CVE-2026-13462
Received Received - Intake

SSL Bypass in PayRange Android App

Vulnerability report for CVE-2026-13462, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: CERT/CC

Description

PayRange Android app, version 7.0.7 and below, contains an SSL bypass vulnerability that allows invalid certificates to be accepted in application webviews. A remote and unauthenticated attacker can steal information that the user sends.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
payrange payrange_android_app to 7.0.7 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The PayRange Android app, version 7.0.7 and below, contains an SSL bypass vulnerability that allows the app to accept invalid SSL certificates in its webviews. This means the app does not properly validate SSL certificates, enabling attackers to present fake or malicious certificates without being detected.

This improper certificate validation can allow a remote and unauthenticated attacker to intercept or steal information that the user sends through the app.

This type of vulnerability is related to CWE-295, which describes weaknesses where products fail to properly validate certificates, potentially leading to man-in-the-middle attacks or acceptance of spoofed data.

Impact Analysis

This vulnerability can allow attackers to intercept sensitive information sent by users through the PayRange app by exploiting the acceptance of invalid SSL certificates.

An attacker could perform man-in-the-middle attacks, capturing or modifying data transmitted between the user and the app's servers without the user's knowledge.

This could lead to theft of personal or financial information, unauthorized access to user accounts, or exposure of confidential data.

Detection Guidance

This vulnerability involves improper SSL certificate validation in the PayRange Android app, allowing invalid certificates to be accepted in application webviews.

To detect this vulnerability on your system or network, you can monitor network traffic for SSL/TLS connections made by the PayRange app and check if invalid or self-signed certificates are accepted.

Commands to help detect such behavior include using network traffic analysis tools like Wireshark or tcpdump to capture SSL/TLS handshakes and inspect certificate details.

  • Use tcpdump to capture traffic on the device: tcpdump -i any port 443 -w capture.pcap
  • Analyze the capture with Wireshark to inspect the certificates presented during SSL/TLS handshakes.
  • Use Android debugging tools (adb) to monitor app logs for SSL errors or warnings.

Since the vulnerability is due to accepting invalid certificates, look for connections where the certificate is self-signed, expired, revoked, or does not match the hostname.

Mitigation Strategies

To mitigate this SSL bypass vulnerability in the PayRange Android app, immediate steps include:

  • Update the PayRange app to a version above 7.0.7 where the vulnerability is fixed.
  • If updating is not immediately possible, avoid using the app on untrusted networks to reduce risk of man-in-the-middle attacks.
  • Implement network-level protections such as SSL/TLS interception detection or use VPNs to secure communications.

From a development perspective, proper certificate validation should be enforced, including hostname verification, expiration checks, and revocation status validation, as well as correct implementation of certificate pinning.

Compliance Impact

The SSL bypass vulnerability in the PayRange Android app allows invalid certificates to be accepted, enabling attackers to intercept and steal user information. This undermines the confidentiality and integrity of user data, which are core requirements in standards like GDPR and HIPAA.

By allowing man-in-the-middle attacks through improper certificate validation, the vulnerability increases the risk of unauthorized access to personal and sensitive information. This can lead to non-compliance with data protection regulations that mandate secure transmission and protection of personal data.

Therefore, organizations using affected versions of the app may face compliance challenges related to protecting user data privacy and ensuring secure communications as required by these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13462. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart