Description
The application does not impose strict enough restrictions on directory access permissions, posing a risk that other malicious applications could obtain sensitive information.
Published: 2026-05-12
Score: 2.9 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the Hik-Connect APP’s inadequate enforcement of directory access permissions, allowing malicious applications on the same device to read files that should be protected. This flaw could lead to disclosure of confidential data stored by the application, affecting the confidentiality of the information but not its integrity or availability. The vulnerability is an example of improper access control that risks data exposure.

Affected Systems

The affected product is the Hikvision Hik-Connect APP. No specific version information is disclosed; therefore any current or prior releases of this application may be susceptible until a fix is applied.

Risk and Exploitability

The CVSS score of 2.9 reflects a low overall severity. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, indicating a relatively low exploitation probability. The likely attack vector requires that an adversary have the ability to install a malicious application on the same device or otherwise gain several local access privileges. While the risk of data exposure exists, the requirement for a local foothold makes immediate widespread exploitation less probable, yet the potential impact on confidentiality warrants proactive assessment and remediation.

Generated by OpenCVE AI on May 12, 2026 at 12:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available security update or patch for the Hik-Connect APP
  • Configure the device’s file system to restrict directory read/write access strictly to authorized applications and users
  • Remove or disable any untrusted or unknown applications from the device to reduce the attack surface

Generated by OpenCVE AI on May 12, 2026 at 12:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 12:45:00 +0000

Type Values Removed Values Added
Title Insufficient Directory Access Restrictions Allow Sensitive Data Exposure
Weaknesses CWE-284
CWE-732

Tue, 12 May 2026 11:15:00 +0000

Type Values Removed Values Added
Description The application does not impose strict enough restrictions on directory access permissions, posing a risk that other malicious applications could obtain sensitive information.
References
Metrics cvssV3_1

{'score': 2.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: hikvision

Published:

Updated: 2026-05-12T12:07:02.989Z

Reserved: 2026-03-13T07:45:08.745Z

Link: CVE-2026-32684

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T11:16:19.283

Modified: 2026-05-12T11:16:19.283

Link: CVE-2026-32684

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T12:30:15Z

Weaknesses