Description
A weakness has been identified in La Nacion App 10.2.25 on Android. This impacts an unknown function of the file source/app/lanacion/clublanacion/BuildConfig.java of the component app.lanacion.activity. Executing a manipulation of the argument API_KEY_WEBSOCKET_CV can lead to unprotected storage of credentials. The attack can only be executed locally. A high complexity level is associated with this attack. The exploitability is said to be difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-16
Score: 2 Low
EPSS: < 1% Very Low
KEV: No
Impact: Credential Exposure
Action: Patch
AI Analysis

Impact

A weakness in La Nacion App 10.2.25 allows manipulation of the argument API_KEY_WEBSOCKET_CV within BuildConfig.java to cause unprotected storage of WebSocket API keys. The exposure of these credentials results in confidentiality loss; an attacker could potentially use the leaked keys to establish unauthorized WebSocket connections to the app’s backend. Based on the description, it is inferred that possession of these keys could enable further malicious activities, such as data exfiltration or unauthorized access to services, although the CVE itself does not explicitly document these downstream effects.

Affected Systems

The affected system is La Nacion App version 10.2.25 running on Android devices. The vulnerability resides in an unknown function of source/app/lanacion/clublanacion/BuildConfig.java within the app.lanacion.activity component. No other vendors or product versions are listed as affected, and the vendor did not issue a public fix.

Risk and Exploitability

The CVSS score is 2, indicating low severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. The attack can only be executed locally, requires high complexity, and is considered difficult to perform; however, exploit code has already been made public. While the overall risk is low to moderate, local device access would grant an attacker sensitive credentials that could be leveraged for further attacks. The lack of an official patch heightens the importance of mitigating the credential leakage proactively.

Generated by OpenCVE AI on March 17, 2026 at 12:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the La Nacion App to the latest published version that removes the insecure API key storage
  • If no patch is available, manually delete the stored API_KEY_WEBSOCKET_CV value from the app’s local data or disable WebSocket usage within the app
  • Reinstall the application from a trusted source once a patched version is released
  • Monitor the device for any signs of local credential access or abnormal WebSocket traffic

Generated by OpenCVE AI on March 17, 2026 at 12:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared La Nacion App
La Nacion App la Nacion App
Vendors & Products La Nacion App
La Nacion App la Nacion App

Mon, 16 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in La Nacion App 10.2.25 on Android. This impacts an unknown function of the file source/app/lanacion/clublanacion/BuildConfig.java of the component app.lanacion.activity. Executing a manipulation of the argument API_KEY_WEBSOCKET_CV can lead to unprotected storage of credentials. The attack can only be executed locally. A high complexity level is associated with this attack. The exploitability is said to be difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title La Nacion App app.lanacion.activity BuildConfig.java credentials storage
Weaknesses CWE-255
CWE-256
References
Metrics cvssV2_0

{'score': 1, 'vector': 'AV:L/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.5, 'vector': 'CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 2, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

La Nacion App La Nacion App
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-16T18:18:28.414Z

Reserved: 2026-03-15T20:48:26.368Z

Link: CVE-2026-4243

cve-icon Vulnrichment

Updated: 2026-03-16T18:18:24.003Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-16T15:16:26.963

Modified: 2026-03-17T14:20:01.670

Link: CVE-2026-4243

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:50:23Z

Weaknesses