Description
AL-KO Robolinho Update Software has hard-coded AWS Access and Secret keys that allow anyone to access AL-KO's AWS bucket. Using the keys directly might give the attacker greater access than the app itself. Key grants AT LEAST read access to some of the objects in bucket.

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 8.0.21.0610 and 8.0.22.0524 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Published: 2026-03-30
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized AWS bucket access
Action: Patch Immediately
AI Analysis

Impact

AL‑KO Robolinho Update Software contains hard‑coded AWS Access and Secret keys within its binaries, enabling anyone who obtains the software to authenticate to the vendor’s Amazon Web Services bucket and read the stored objects. The embedded credentials may also grant higher privileges than the application’s intended scope, potentially giving attackers broader access to the AWS account. This weakness maps to CWE‑798, the improper hard‑coding of credentials.

Affected Systems

Versions 8.0.21.0610 and 8.0.22.0524 have been confirmed to contain the hard‑coded keys. No additional versions were tested; the vendor has not disclosed a specific vulnerable version range, so earlier or later releases may also be affected.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, implying no known live exploits. Attackers could extract the hard‑coded keys from the binary or installation files, then use these credentials to authenticate to the AWS bucket, obtaining read access to stored objects and possibly higher privileges if the keys exceed the application’s intended permissions.

Generated by OpenCVE AI on April 13, 2026 at 09:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and apply any vendor‑issued patch that removes the hard‑coded credentials
  • Rotate the AWS Access and Secret keys used by the bucket and limit them to the minimum required permissions
  • Enable AWS CloudTrail and bucket access logging to detect unauthorized access attempts
  • Scan all deployed binaries for embedded credentials and replace any that contain secrets
  • Implement a development policy that prohibits hard‑coded credentials in future releases

Generated by OpenCVE AI on April 13, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 07:45:00 +0000

Type Values Removed Values Added
Description AL-KO Robolinho Update Software has hard-coded AWS Access and Secret keys that allow anyone to access AL-KO's AWS bucket. Using the keys directly might give the attacker greater access than the app itself. Key grants AT LEAST read access to some of the objects in bucket. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 8.0.21.0610 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. AL-KO Robolinho Update Software has hard-coded AWS Access and Secret keys that allow anyone to access AL-KO's AWS bucket. Using the keys directly might give the attacker greater access than the app itself. Key grants AT LEAST read access to some of the objects in bucket. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 8.0.21.0610 and 8.0.22.0524 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Al-ko
Al-ko robolinho Update Software
Vendors & Products Al-ko
Al-ko robolinho Update Software

Mon, 30 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 10:30:00 +0000

Type Values Removed Values Added
Description AL-KO Robolinho Update Software has hard-coded AWS Access and Secret keys that allow anyone to access AL-KO's AWS bucket. Using the keys directly might give the attacker greater access than the app itself. Key grants AT LEAST read access to some of the objects in bucket. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 8.0.21.0610 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Title Hard-coded AWS Key in AL-KO Robolinho Update Software
Weaknesses CWE-798
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Al-ko Robolinho Update Software
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-04-13T07:26:47.168Z

Reserved: 2026-01-29T12:37:59.274Z

Link: CVE-2026-1612

cve-icon Vulnrichment

Updated: 2026-03-30T13:54:25.458Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-30T11:16:04.557

Modified: 2026-04-13T08:16:22.663

Link: CVE-2026-1612

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:28:11Z

Weaknesses