Description
Improper access control in Samsung Camera prior to version 16.5.00.28 allows local attacker to access location data. User interaction is required for triggering this vulnerability.
Published: 2026-04-13
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Location data disclosure
Action: Apply patch
AI Analysis

Impact

Samsung Camera application contains an improper access control flaw that permits a local attacker to read the device’s location data. The vulnerability allows disclosure of sensitive geographic information, which could be used for privacy invasion or targeted attacks. The weakness stems from insufficient permission checks when accessing location services, enabling unauthorized read access.

Affected Systems

Samsung Mobile devices with the Camera app version earlier than 16.5.00.28 are affected. This covers all models running any build of Samsung Camera before that update, regardless of region or release date.

Risk and Exploitability

The CVSS score of 5.1 indicates a medium severity. The EPSS score of <1% shows the likelihood of exploitation is very low. Samsung has not listed this issue in CISA’s KEV database. Because the vulnerability requires the attacker to be on the device and to engage the user, exploitation in the wild is unlikely, though an attacker with physical or personal access could still obtain location data once the condition is met.

Generated by OpenCVE AI on April 18, 2026 at 09:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Samsung Camera to version 16.5.00.28 or newer
  • If update is not possible, disable location permission for the Camera app or restrict its access to location data
  • Periodically check Samsung security advisories for the latest patches or additional workarounds

Generated by OpenCVE AI on April 18, 2026 at 09:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
Title Local Attackers Can Access Device Location via Samsung Camera Improper Access Control

Fri, 17 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
Title Local Attacker Can Access Location Data via Improper Access Control in Samsung Camera
Weaknesses CWE-284

Thu, 16 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Samsung
Samsung camera
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:samsung:camera:*:*:*:*:*:*:*:*
Vendors & Products Samsung
Samsung camera
Metrics cvssV3_1

{'score': 2.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N'}

Tue, 14 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Title Local Attacker Can Access Location Data via Improper Access Control in Samsung Camera
Weaknesses CWE-284

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Samsung Mobile
Samsung Mobile samsung Camera
Vendors & Products Samsung Mobile
Samsung Mobile samsung Camera

Mon, 13 Apr 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper access control in Samsung Camera prior to version 16.5.00.28 allows local attacker to access location data. User interaction is required for triggering this vulnerability.
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Samsung Camera
Samsung Mobile Samsung Camera
cve-icon MITRE

Status: PUBLISHED

Assigner: SamsungMobile

Published:

Updated: 2026-04-13T14:31:18.617Z

Reserved: 2025-12-11T01:33:35.803Z

Link: CVE-2026-21014

cve-icon Vulnrichment

Updated: 2026-04-13T14:25:58.837Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-13T06:16:06.140

Modified: 2026-04-16T17:23:57.580

Link: CVE-2026-21014

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:30:25Z

Weaknesses