Description
Incorrect default permission in Galaxy Wearable prior to version 2.2.68.26 allows local attackers to access sensitive information.
Published: 2026-04-13
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive information disclosure
Action: Patch
AI Analysis

Impact

The vulnerability originates from an incorrectly configured default permission in Samsung Mobile's Galaxy Wearable firmware before version 2.2.68.26. Because the default settings grant broader access than intended, a local attacker can read restricted files or data stored on the wearable, leading to accidental or intentional disclosure of personal or sensitive information. This weakness represents an improper access control (CWE‑284) and can expose data that a user entrusts to the device.

Affected Systems

The affected product is Samsung Mobile's Galaxy Wearable firmware on compatible wearable devices. Versions earlier than 2.2.68.26 are vulnerable. No specific device models are listed, so all Galaxy Wearable devices with firmware before that version are at risk.

Risk and Exploitability

The reported CVSS score of 6.9 indicates moderate severity, primarily because the attack requires local access. The EPSS score is not available, so exploitation likelihood is not quantified. The vulnerability is not listed in CISA's KEV catalog. Based on the description, it appears the attack vector is local, meaning the attacker must have physical possession of the wearable or be paired with a compromised smartphone. Once local access is achieved, the attacker can read protected data, potentially leading to privacy violations.

Generated by OpenCVE AI on April 13, 2026 at 07:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official firmware update to version 2.2.68.26 or later on all Samsung Galaxy Wearable devices.
  • If an update is not available, lock the device, restrict application permissions, and avoid sharing sensitive data over the device.
  • Monitor device logs and usage for abnormal access patterns and report any suspicious activity to Samsung support.

Generated by OpenCVE AI on April 13, 2026 at 07:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Title Galaxy Wearable Default Permission Misconfiguration Exposes Sensitive Information
Weaknesses CWE-284

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Samsung Mobile
Samsung Mobile galaxy Wearable
Vendors & Products Samsung Mobile
Samsung Mobile galaxy Wearable

Mon, 13 Apr 2026 06:15:00 +0000

Type Values Removed Values Added
Description Incorrect default permission in Galaxy Wearable prior to version 2.2.68.26 allows local attackers to access sensitive information.
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Samsung Mobile Galaxy Wearable
cve-icon MITRE

Status: PUBLISHED

Assigner: SamsungMobile

Published:

Updated: 2026-04-13T14:35:12.877Z

Reserved: 2025-12-11T01:33:35.803Z

Link: CVE-2026-21013

cve-icon Vulnrichment

Updated: 2026-04-13T14:35:06.030Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-13T06:16:06.010

Modified: 2026-04-13T15:01:43.663

Link: CVE-2026-21013

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:52:55Z

Weaknesses