CVE-2026-4217 - Vulnerability Details

Description

A security vulnerability has been detected in XREAL Nebula App up to 3.2.1 on Android. This impacts an unknown function of the file in ai/nreal/nebula/flutterPlugin/CloudStoragePlugin.java of the component ai.nreal.nebula.universal. Such manipulation of the argument accessKey/secretAccessKey/securityToken leads to unprotected storage of credentials. The attack can only be performed from a local environment. The attack requires a high level of complexity. The exploitability is said to be difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-03-16

Score: 2 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The XREAL Nebula App contains a flaw in CloudStoragePlugin.java that allows manipulation of the arguments accessKey, secretAccessKey, and securityToken. According to the vendor description, handling these arguments incorrectly leads to credentials being stored in an unprotected location. The weakness is a direct instance of plaintext storage of sensitive information (CWE-255) and missing encryption of sensitive data (CWE-256). If an attacker can supply malicious values, they can cause the application to write credential strings to a location that is not protected, thereby exposing them.

Affected Systems

The vulnerability affects all Android installations of XREAL Nebula App up to version 3.2.1. The flaw exists in the ai/nreal/nebula/flutterPlugin/CloudStoragePlugin.java file of the ai.nreal.nebula.universal component. No later versions are listed as impacted and no vendor patch has been publicly released as of the data provided.

Risk and Exploitability

The CVSS score of 2.0 indicates low overall severity, and the EPSS score of less than 1% shows a very low likelihood of exploitation. The vulnerability is applicable only from a local environment, requires a high level of complexity, and is described as difficult to exploit. It is not listed in the CISA Known Exploited Vulnerabilities catalog. Given these metrics, the risk is low for most users but still significant for those who rely on the app to store sensitive credentials, as exposure could lead to credential theft.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

XREAL

Nebula App

affected

Version	Status	Constraints
`3.2.0`	affected	—
`3.2.1`	affected	—

No data.

Vendor Product Confidence Versions

Xreal

Nebula App

100%

Version	Status	Scheme	Platform
`3.2.0`	affected	semver	—
`3.2.1`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check for and install the latest XREAL Nebula App update that addresses the credential storage issue.
If no update is available, consider uninstalling or disabling the Nebula App until a patch is released.
Contact XREAL support to report the vulnerability and request a fix.
Use secure storage mechanisms, such as the Android Keystore system, for any credentials stored by other applications.
Monitor vendor announcements for a future patch or advisory.

Generated by OpenCVE AI on March 17, 2026 at 12:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Local

Attack Complexity High

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Local

Access Complexity High

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00012.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://vuldb.com/?ctiid.351141
https://vuldb.com/?id.351141
https://vuldb.com/?submit.770503
https://www.notion.so/Exposed-Cryptographic-Key-and-IV-in-ai-nreal-nebula-universal-3172de3f97fb80b5a987eac2c49527e2?source=copy_link

History

Tue, 17 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Xreal Xreal nebula App
Vendors & Products		Xreal Xreal nebula App

Mon, 16 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 16 Mar 2026 07:00:00 +0000

Type	Values Removed	Values Added
Description	A security vulnerability has been detected in XREAL Nebula App up to 3.2.1 on Android. This impacts an unknown function of the file in ai/nreal/nebula/flutterPlugin/CloudStoragePlugin.java of the component ai.nreal.nebula.universal. Such manipulation of the argument accessKey/secretAccessKey/securityToken leads to key management error. The attack can only be performed from a local environment. The attack requires a high level of complexity. The exploitability is said to be difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.	A security vulnerability has been detected in XREAL Nebula App up to 3.2.1 on Android. This impacts an unknown function of the file in ai/nreal/nebula/flutterPlugin/CloudStoragePlugin.java of the component ai.nreal.nebula.universal. Such manipulation of the argument accessKey/secretAccessKey/securityToken leads to unprotected storage of credentials. The attack can only be performed from a local environment. The attack requires a high level of complexity. The exploitability is said to be difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title	XREAL Nebula App ai.nreal.nebula.universal CloudStoragePlugin.java key management	XREAL Nebula App ai.nreal.nebula.universal CloudStoragePlugin.java credentials storage
Weaknesses	CWE-320	CWE-255 CWE-256

Mon, 16 Mar 2026 05:30:00 +0000

Type	Values Removed	Values Added
Description		A security vulnerability has been detected in XREAL Nebula App up to 3.2.1 on Android. This impacts an unknown function of the file in ai/nreal/nebula/flutterPlugin/CloudStoragePlugin.java of the component ai.nreal.nebula.universal. Such manipulation of the argument accessKey/secretAccessKey/securityToken leads to key management error. The attack can only be performed from a local environment. The attack requires a high level of complexity. The exploitability is said to be difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		XREAL Nebula App ai.nreal.nebula.universal CloudStoragePlugin.java key management
Weaknesses		CWE-320
References		https://vuldb.com/?ctiid.351141 https://vuldb.com/?id.351141 https://vuldb.com/?submit.770503 https://www.notion.so/Exposed-Cryptographic-Key-and-IV-in-ai-nreal-nebula-universal-3172de3f97fb80b5a987eac2c49527e2?source=copy_link
Metrics		cvssV2_0 `{'score': 1, 'vector': 'AV:L/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 2.5, 'vector': 'CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 2.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 2, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Xreal Nebula App

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-16T05:02:10.796Z

Updated: 2026-03-16T15:29:54.628Z

Reserved: 2026-03-15T15:14:12.416Z

Link: CVE-2026-4217

Vulnrichment

Updated: 2026-03-16T15:29:51.261Z

NVD

Status : Awaiting Analysis

Published: 2026-03-16T14:20:08.967

Modified: 2026-03-16T14:53:07.390

Link: CVE-2026-4217

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-24T10:45:49Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Local

Access Complexity High

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object