Description
In Crazy Bubble Tea mobile application authenticated attacker can obtain personal information about other users by enumerating a `loyaltyGuestId` parameter. Server does not verify the permissions required to obtain the data. This issue was fixed in version 915 (Android) and 7.4.1 (iOS).
References (2)
Core 2
Core References
Various Sources product
https://crazybubble.pl/aplikacja-crazy-bubble/
Various Sources third-party-advisory
https://cert.pl/posts/2026/01/CVE-2025-14317
Scores
CVSS v4
7.1
EPSS
0.0025
EPSS Percentile
15.9%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-359
Status
published
Products (2)
Emaintenance/Crazy Bubble Tea
< 7.4.1
Emaintenance/Crazy Bubble Tea
< 915
Published
Jan 14, 2026
Tracked Since
Feb 18, 2026