Description
A flaw has been found in INDEX Conferences & Exhibitions Organization YWF BPOF APGCS App up to 1.0.2 on Android. Affected by this vulnerability is an unknown functionality of the file com/index/event/BuildConfig.java of the component ae.index.apgcs. Executing a manipulation of the argument ACCESS_KEY/HASH_KEY can lead to hard-coded credentials. The attack is restricted to local execution. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-16
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Credential Exposure
Action: Apply Patch
AI Analysis

Impact

A flaw has been identified in the BuildConfig.java file of the INDEX Conferences & Exhibitions Organization YWF BPOF APGCS App that allows the manipulation of the ACCESS_KEY and HASH_KEY arguments. The manipulation of these arguments leads to the disclosure of hard‑coded credentials. This weakness corresponds to CWE‑259 and CWE‑798 and enables an attacker who can execute locally on the device to gain unauthorized access to backend services and potentially other protected resources.

Affected Systems

The vulnerability affects the INDEX Conferences & Exhibitions Organization YWF BPOF APGCS App on Android up to version 1.0.2. Users running any release of the app that includes the unpatched BuildConfig.java component are susceptible.

Risk and Exploitability

The CVSS score for this issue is 4.8, indicating a moderate severity. The EPSS score is less than 1%, and the vulnerability is not listed in the CISA KEV catalog, suggesting a low probability of widespread exploitation. However, the exploit is local only; therefore, an adversary who gains local execution privilege on the device can leverage the hard‑coded credentials to compromise the backend system.

Generated by OpenCVE AI on March 17, 2026 at 11:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the YWF BPOF APGCS App to a version newer than 1.0.2 once the vendor issues a patch
  • If upgrading is not immediately possible, remove or obfuscate the hard‑coded ACCESS_KEY and HASH_KEY values in BuildConfig.java and replace them with secure runtime credentials
  • Limit local device access through device security policies to reduce the risk of local execution

Generated by OpenCVE AI on March 17, 2026 at 11:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Index Conferences & Exhibitions Organization
Index Conferences & Exhibitions Organization ywf Bpof Apgcs App
Vendors & Products Index Conferences & Exhibitions Organization
Index Conferences & Exhibitions Organization ywf Bpof Apgcs App

Mon, 16 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 07:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in INDEX Conferences & Exhibitions Organization YWF BPOF APGCS App up to 1.0.2 on Android. Affected by this vulnerability is an unknown functionality of the file com/index/event/BuildConfig.java of the component ae.index.apgcs. Executing a manipulation of the argument ACCESS_KEY/HASH_KEY can lead to hard-coded credentials. The attack is restricted to local execution. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title INDEX Conferences & Exhibitions Organization YWF BPOF APGCS App ae.index.apgcs BuildConfig.java hard-coded credentials
Weaknesses CWE-259
CWE-798
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Index Conferences & Exhibitions Organization Ywf Bpof Apgcs App
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-16T15:27:30.797Z

Reserved: 2026-03-15T16:25:29.066Z

Link: CVE-2026-4219

cve-icon Vulnrichment

Updated: 2026-03-16T15:25:54.089Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-16T14:20:12.377

Modified: 2026-03-16T16:16:18.040

Link: CVE-2026-4219

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:45:46Z

Weaknesses