Description
Improper handling of insufficient permission in Galaxy Wearable installed on non-Samsung Device prior to version 2.2.68 allows local attackers to access sensitive information.
Published: 2026-02-04
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Information Disclosure
Action: Apply Update
AI Analysis

Impact

The vulnerability results from improper handling of insufficient permission checks in the Galaxy Wearable app. This flaw allows a local attacker, who has access to a non‑Samsung device running a pre‑2.2.68 version of the app, to read sensitive data that should be protected by the operating system's permission model. The weakness is a classic case of improperly enforced access control (CWE‑284), enabling confidential information exposure without requiring remote exploitation or elevated privileges.

Affected Systems

Affected systems include devices running Samsung Mobile:Galaxy Wearable application versions older than 2.2.68 that are installed on non‑Samsung hardware. The issue does not apply to Samsung devices or to Galaxy Wearable installations on those devices, nor to newer firmware releases past the stated version.

Risk and Exploitability

The CVSS base score of 5.1 indicates moderate severity, while the EPSS score of less than 1% suggests exploitation is unlikely in the wild. The vulnerability is not listed in the CISA KEV catalog, further implying low confidence in widespread use. Attackers must have local access to the device; no remote code execution or network traversal is required. Successful exploitation results in unauthorized disclosure of user data, which can compromise privacy and potentially lead to credential theft or downstream attacks if sensitive tokens are leaked.

Generated by OpenCVE AI on April 17, 2026 at 23:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Galaxy Wearable to version 2.2.68 or later.
  • If an upgrade is not yet available, consider preventing the app from requesting sensitive permissions or disabling the app altogether on non‑Samsung devices.
  • Restrict the installation and use of Galaxy Wearable to certified Samsung hardware, and enforce device‑level policy to block untrusted legacy firmware.

Generated by OpenCVE AI on April 17, 2026 at 23:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Title Galaxy Wearable Permission Handling Vulnerability Enables Local Information Disclosure
Weaknesses CWE-284

Wed, 04 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Samsung
Samsung galaxy Wearable
Samsung Mobile
Samsung Mobile galaxy Wearable
Vendors & Products Samsung
Samsung galaxy Wearable
Samsung Mobile
Samsung Mobile galaxy Wearable

Wed, 04 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 06:45:00 +0000

Type Values Removed Values Added
Description Improper handling of insufficient permission in Galaxy Wearable installed on non-Samsung Device prior to version 2.2.68 allows local attackers to access sensitive information.
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Samsung Galaxy Wearable
Samsung Mobile Galaxy Wearable
cve-icon MITRE

Status: PUBLISHED

Assigner: SamsungMobile

Published:

Updated: 2026-02-04T16:57:38.337Z

Reserved: 2025-12-11T01:33:35.799Z

Link: CVE-2026-20984

cve-icon Vulnrichment

Updated: 2026-02-04T16:57:35.972Z

cve-icon NVD

Status : Deferred

Published: 2026-02-04T07:16:00.517

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-20984

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:00:09Z

Weaknesses