CVE-2026-4217
LOWXREAL Nebula App ai.nreal.nebula.universal CloudStoragePlugin.java key management
Title source: cnaDescription
A security vulnerability has been detected in XREAL Nebula App up to 3.2.1 on Android. This impacts an unknown function of the file in ai/nreal/nebula/flutterPlugin/CloudStoragePlugin.java of the component ai.nreal.nebula.universal. Such manipulation of the argument accessKey/secretAccessKey/securityToken leads to unprotected storage of credentials. The attack can only be performed from a local environment. The attack requires a high level of complexity. The exploitability is said to be difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
References (4)
Scores
CVSS v3
2.5
EPSS
0.0001
EPSS Percentile
2.7%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-255
CWE-256
Status
published
Products (2)
XREAL/Nebula App
3.2.0
XREAL/Nebula App
3.2.1
Published
Mar 16, 2026
Tracked Since
Mar 16, 2026