Description
Authentication bypass vulnerability in the device authentication module. Impact: Successful exploitation of this vulnerability will affect integrity and confidentiality.
Published: 2026-03-05
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authentication bypass leading to potential compromise of integrity and confidentiality
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is an authentication bypass in HarmonyOS’s device authentication module. An attacker who exploits this flaw can gain unauthorized access to the device’s internal functions, potentially leading to unauthorized data modification or leakage. The only stated consequences are loss of integrity and confidentiality, with no mention of denial of service or code execution.

Affected Systems

Huawei HarmonyOS versions 5.1.0 and 6.0.0 are impacted, as indicated by the vendor’s official advisory and the associated Common Platform enumeration strings.

Risk and Exploitability

The CVSS score of 9.6 signals a severe vulnerability. The EPSS score indicates a very low exploitation probability (<1%), and the vulnerability has not been catalogued by CISA. The attack vector is not explicitly disclosed, but the flaw resides in the device authentication layer, implying that an adversary would need to interact with the device—potentially over local or remote interfaces—to gain the bypass.

Generated by OpenCVE AI on April 18, 2026 at 09:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Huawei firmware update that addresses CVE-2026-28536 as published in the official support bulletin.
  • If an update is not immediately available, disable or limit remote authentication or restrict network access to authentication services as per Huawei’s temporary mitigation guidance.
  • Reconfigure the device to enforce strong authentication policies, ensuring only authenticated users can access privileged functions and that local accounts have the minimum required permissions.

Generated by OpenCVE AI on April 18, 2026 at 09:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title Authentication Bypass in HarmonyOS Device Module

Fri, 06 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:huawei:harmonyos:5.1.0:*:*:*:*:*:*:*
cpe:2.3:o:huawei:harmonyos:6.0.0:*:*:*:*:*:*:*

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Huawei
Huawei harmonyos
Vendors & Products Huawei
Huawei harmonyos

Thu, 05 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
Description Authentication bypass vulnerability in the device authentication module. Impact: Successful exploitation of this vulnerability will affect integrity and confidentiality.
Weaknesses CWE-305
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Huawei Harmonyos
cve-icon MITRE

Status: PUBLISHED

Assigner: huawei

Published:

Updated: 2026-03-05T15:17:03.135Z

Reserved: 2026-02-28T03:58:12.087Z

Link: CVE-2026-28536

cve-icon Vulnrichment

Updated: 2026-03-05T15:16:59.404Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T07:16:13.660

Modified: 2026-03-06T19:44:58.363

Link: CVE-2026-28536

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:00:10Z

Weaknesses