Description
Path traversal vulnerability in the certificate management module. Impact: Successful exploitation of this vulnerability may affect availability.
Published: 2026-03-05
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Availability Impact
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a path traversal flaw in Huawei HarmonyOS’s certificate management module. It allows an attacker to navigate outside the intended directory hierarchy when managing certificates. The primary impact of a successful exploit is a denial of service, potentially disrupting the functionality of the certificate module and thereby affecting broader system availability. The weakness is classified as CWE‑22 (Path Traversal) and CWE‑24 (Absolute Path Traversal).

Affected Systems

Huawei HarmonyOS 5.1.0 and HarmonyOS 6.0.0 are affected. The flaw exists in the certificate management component of these operating system releases, which is responsible for handling user and system certificates.

Risk and Exploitability

The CVSS score is 5.9, indicating a moderate severity. The EPSS score is less than 1 %, reflecting a very low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is likely local or remote with prior authentication, as the certificate management module is typically accessed via the system interface; however, the exact vector is not explicitly documented and is inferred from the nature of the flaw.

Generated by OpenCVE AI on April 16, 2026 at 12:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official HarmonyOS security patch that addresses the path traversal in the certificate management module for all affected OS versions.
  • If a patch is not yet available, disable or restrict access to the certificate management functionality until the fix is applied.
  • Validate that the file system permissions for certificate directories are set to prevent traversal and monitor logs for anomalous certificate upload attempts.

Generated by OpenCVE AI on April 16, 2026 at 12:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Title Path Traversal in HarmonyOS Certificate Management Leading to Availability Issues

Thu, 05 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Huawei
Huawei harmonyos
Weaknesses CWE-22
CPEs cpe:2.3:o:huawei:harmonyos:5.1.0:*:*:*:*:*:*:*
cpe:2.3:o:huawei:harmonyos:6.0.0:*:*:*:*:*:*:*
Vendors & Products Huawei
Huawei harmonyos

Thu, 05 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
Description Path traversal vulnerability in the certificate management module. Impact: Successful exploitation of this vulnerability may affect availability.
Weaknesses CWE-24
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Huawei Harmonyos
cve-icon MITRE

Status: PUBLISHED

Assigner: huawei

Published:

Updated: 2026-03-05T15:41:01.992Z

Reserved: 2026-02-28T03:58:12.087Z

Link: CVE-2026-28538

cve-icon Vulnrichment

Updated: 2026-03-05T15:29:03.304Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T08:15:58.510

Modified: 2026-03-05T21:38:16.290

Link: CVE-2026-28538

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:30:06Z

Weaknesses