CVE-2026-4217

LOW

XREAL Nebula App ai.nreal.nebula.universal CloudStoragePlugin.java key management

Title source: cna

Description

A security vulnerability has been detected in XREAL Nebula App up to 3.2.1 on Android. This impacts an unknown function of the file in ai/nreal/nebula/flutterPlugin/CloudStoragePlugin.java of the component ai.nreal.nebula.universal. Such manipulation of the argument accessKey/secretAccessKey/securityToken leads to unprotected storage of credentials. The attack can only be performed from a local environment. The attack requires a high level of complexity. The exploitability is said to be difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References (4)

Core 4

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-351141 | XREAL Nebula App ai.nreal.nebula.universal CloudStoragePlugin.java key management

https://vuldb.com/?id.351141

Signature, Permissions Required signature permissions-required

VDB-351141 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/?ctiid.351141

Third Party Advisory third-party-advisory

Submit #770503 | XREAL Technology Limited Nebula 3.2.1 Exposed Cryptographic Key and IV

https://vuldb.com/?submit.770503

Exploit exploit

https://www.notion.so/Exposed-Cryptographic-Key-and-IV-in-ai-nreal-nebula-universal-3172de3f97fb80b5a987eac2c49527e2?source=copy_link

Scores

CVSS v3 2.5

EPSS 0.0010

EPSS Percentile 0.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-255 CWE-256

Status published

Products (2)

XREAL/Nebula App 3.2.0

XREAL/Nebula App 3.2.1

Published Mar 16, 2026

Tracked Since Mar 16, 2026