Description
A vulnerability was found in Albert Sağlık Hizmetleri ve Ticaret Albert Health up to 1.7.3 on Android. Affected is an unknown function of the file resources/assets/service-account.json of the component Google Cloud Service Account Key Handler. Performing a manipulation results in unprotected storage of credentials. The attack requires a local approach. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-16
Score: 2 Low
EPSS: < 1% Very Low
KEV: No
Impact: Credentials Exposure
Action: Assess
AI Analysis

Impact

The vulnerability lies in the Google Cloud Service Account Key Handler component of Albert Health, where the file resources/assets/service-account.json is stored without protection. The exposed credentials can be used by an attacker to gain unauthorized access to Google Cloud resources, potentially compromising data confidentiality and integrity. The weakness is a cleartext storage of sensitive information (CWE–255) and a plain text disclosure of credentials (CWE–256). The description states that the vulnerability requires a local approach and that the exploitation is considered difficult, yet the exploit has been made public.

Affected Systems

The affected product is Albert Sağlık Hizmetleri ve Ticaret:Albert Health version 1.7.3 and earlier on Android devices. The vulnerability involves an unknown function within the service-account.json file mentioned as part of the Google Cloud Service Account Key Handler.

Risk and Exploitability

The CVSS score is 2, indicating low severity, and the EPSS score is not available. The vulnerability is not listed inV catalog. The attack vector is inferred to be local, with high complexity and difficult exploitability as stated in the vendor description. Despite the low CVSS, the availability of public exploits suggests that a local actor could potentially retrieve service account keys and use them to access sensitive cloud data.

Generated by OpenCVE AI on March 17, 2026 at 11:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Audit the application to ensure no service-account.json files containing plaintext credentials are included in the codebase.
  • If such files exist, remove them or encrypt the credentials before embedding them.
  • Consider using a secure secret management system or environment variables instead of embedding credentials in the application.
  • Verify if a newer version of Albert Health is available and apply any vendor update that addresses this issue.
  • Regularly review the application for hidden credentials and monitor for any unauthorized access attempts on cloud resources.

Generated by OpenCVE AI on March 17, 2026 at 11:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Albert Sağlık Hizmetleri Ve Ticaret
Albert Sağlık Hizmetleri Ve Ticaret albert Health
Vendors & Products Albert Sağlık Hizmetleri Ve Ticaret
Albert Sağlık Hizmetleri Ve Ticaret albert Health

Mon, 16 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Albert Sağlık Hizmetleri ve Ticaret Albert Health up to 1.7.3 on Android. Affected is an unknown function of the file resources/assets/service-account.json of the component Google Cloud Service Account Key Handler. Performing a manipulation results in unprotected storage of credentials. The attack requires a local approach. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Albert Sağlık Hizmetleri ve Ticaret Albert Health Google Cloud Service Account Key service-account.json credentials storage
Weaknesses CWE-255
CWE-256
References
Metrics cvssV2_0

{'score': 1, 'vector': 'AV:L/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.5, 'vector': 'CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 2, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Albert Sağlık Hizmetleri Ve Ticaret Albert Health
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-16T18:12:04.287Z

Reserved: 2026-03-16T06:06:30.949Z

Link: CVE-2026-4250

cve-icon Vulnrichment

Updated: 2026-03-16T18:11:50.298Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-16T16:16:18.497

Modified: 2026-03-17T14:20:01.670

Link: CVE-2026-4250

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:50:19Z

Weaknesses