Description
A vulnerability was determined in CityData CityChat up to 0.12.6 on Android. Affected by this vulnerability is an unknown functionality of the file resources/assets/flutter_assets/assets/credentials.json of the component ai.citydata.citychat. Executing a manipulation can lead to unprotected storage of credentials. The attack requires local access. A high complexity level is associated with this attack. The exploitation appears to be difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-16
Score: 2 Low
EPSS: < 1% Very Low
KEV: No
Impact: Credential Exposure
Action: Patch
AI Analysis

Impact

The vulnerability allows an attacker with local access to manipulate the credentials.json file located in the file resources/assets/flutter_assets/assets/credentials.json of the ai.citydata.citychat component of CityData CityChat. This results in unprotected storage of credentials, effectively exposing sensitive authentication information. The weakness is identified as CWE-255 (Plaintext Storage of Sensitive Information) and CWE-256 (Improper Restriction of Default Permissions). The primary impact is disclosure of credentials, potentially allowing further unauthorized access to services tied to those credentials. The attack is difficult to execute and requires a high level of complexity, but because the exploit is publicly disclosed it remains a concern for devices that have not been patched or do not enforce strict local access controls.

Affected Systems

CityData CityChat versions up to 0.12.6 running on Android are affected. The exact list of affected versions is not explicitly provided in the source information. The product vendor is identified as CityData, and the component in question is ai.citydata.citychat.

Risk and Exploitability

The CVSS score of 2 indicates a low severity rating. EPSS information is not available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack requires local access and a high complexity level, making exploitation difficult, but the public disclosure of the exploit means it could be used opportunistically on vulnerable devices. Consequently, the overall risk is low to moderate, but the confidentiality impact warrants deferral until an official fix or alternative mitigation can be applied.

Generated by OpenCVE AI on March 17, 2026 at 11:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch or upgrade to a version newer than 0.12.6 when available. If no patch is released, immediately restrict local read/write access to the credentials.json file. Consider removing or encrypting credentials.json and moving sensitive data to a secure store that requires explicit authorization. Monitor the vendor’s support pages for updates or advisories and verify that the device firmware or app version has been updated. Verify that any device with local storage permissions are configured to limit unauthorized file system access.

Generated by OpenCVE AI on March 17, 2026 at 11:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Citydata
Citydata citychat
Vendors & Products Citydata
Citydata citychat

Mon, 16 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in CityData CityChat up to 0.12.6 on Android. Affected by this vulnerability is an unknown functionality of the file resources/assets/flutter_assets/assets/credentials.json of the component ai.citydata.citychat. Executing a manipulation can lead to unprotected storage of credentials. The attack requires local access. A high complexity level is associated with this attack. The exploitation appears to be difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Title CityData CityChat ai.citydata.citychat credentials.json credentials storage
Weaknesses CWE-255
CWE-256
References
Metrics cvssV2_0

{'score': 1, 'vector': 'AV:L/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.5, 'vector': 'CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 2, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Citydata Citychat
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-16T18:17:54.591Z

Reserved: 2026-03-16T06:10:42.442Z

Link: CVE-2026-4251

cve-icon Vulnrichment

Updated: 2026-03-16T18:17:50.345Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-16T17:16:31.840

Modified: 2026-03-17T14:20:01.670

Link: CVE-2026-4251

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:50:18Z

Weaknesses