{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5452", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-02T22:08:50.188Z", "datePublished": "2026-04-03T02:45:09.544Z", "dateUpdated": "2026-04-03T14:45:11.495Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-03T02:45:09.544Z"}, "title": "UCC CampusConnect App campusconnect.ucc BuildConfig.java hard-coded key", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-321", "lang": "en", "description": "Use of Hard-coded Cryptographic Key"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-320", "lang": "en", "description": "Key Management Error"}]}], "affected": [{"vendor": "UCC", "product": "CampusConnect App", "versions": [{"version": "14.3.0", "status": "affected"}, {"version": "14.3.1", "status": "affected"}, {"version": "14.3.2", "status": "affected"}, {"version": "14.3.3", "status": "affected"}, {"version": "14.3.4", "status": "affected"}, {"version": "14.3.5", "status": "affected"}], "modules": ["campusconnect.ucc"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in UCC CampusConnect App up to 14.3.5 on Android. This vulnerability affects unknown code of the file campusconnect/BuildConfig.java of the component campusconnect.ucc. This manipulation causes use of hard-coded cryptographic key\r . The attack can only be executed locally. The exploit has been published and may be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-02T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-03T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-03T00:13:57.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "fxizenta (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/355040", "name": "VDB-355040 | UCC CampusConnect App campusconnect.ucc BuildConfig.java hard-coded key", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/355040/cti", "name": "VDB-355040 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/781757", "name": "Submit #781757 | CampusConnect\u2122 UCC CampusConnect(campusconnect.ucc) 14.3.5 Uploadcare Private Key Exposure", "tags": ["third-party-advisory"]}, {"url": "https://www.notion.so/Uploadcare-Private-Key-Exposure-Leading-to-Unauthorized-File-Operations-and-Potential-RCE-in-campusc-3262de3f97fb8057bc67ec4320672d99?source=copy_link", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T14:45:03.299154Z", "id": "CVE-2026-5452", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T14:45:11.495Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5452", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T14:45:03.299154Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T14:45:07.923Z"}}], "cna": {"title": "UCC CampusConnect App campusconnect.ucc BuildConfig.java hard-coded key", "credits": [{"lang": "en", "type": "reporter", "value": "fxizenta (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "UCC", "modules": ["campusconnect.ucc"], "product": "CampusConnect App", "versions": [{"status": "affected", "version": "14.3.0"}, {"status": "affected", "version": "14.3.1"}, {"status": "affected", "version": "14.3.2"}, {"status": "affected", "version": "14.3.3"}, {"status": "affected", "version": "14.3.4"}, {"status": "affected", "version": "14.3.5"}]}], "timeline": [{"lang": "en", "time": "2026-04-02T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-03T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-03T00:13:57.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/355040", "name": "VDB-355040 | UCC CampusConnect App campusconnect.ucc BuildConfig.java hard-coded key", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/355040/cti", "name": "VDB-355040 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/781757", "name": "Submit #781757 | CampusConnect\u2122 UCC CampusConnect(campusconnect.ucc) 14.3.5 Uploadcare Private Key Exposure", "tags": ["third-party-advisory"]}, {"url": "https://www.notion.so/Uploadcare-Private-Key-Exposure-Leading-to-Unauthorized-File-Operations-and-Potential-RCE-in-campusc-3262de3f97fb8057bc67ec4320672d99?source=copy_link", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in UCC CampusConnect App up to 14.3.5 on Android. This vulnerability affects unknown code of the file campusconnect/BuildConfig.java of the component campusconnect.ucc. This manipulation causes use of hard-coded cryptographic key\r . The attack can only be executed locally. The exploit has been published and may be used."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-321", "description": "Use of Hard-coded Cryptographic Key"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-320", "description": "Key Management Error"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-03T02:45:09.544Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5452", "state": "PUBLISHED", "dateUpdated": "2026-04-03T14:45:11.495Z", "dateReserved": "2026-04-02T22:08:50.188Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-03T02:45:09.544Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in UCC CampusConnect App up to 14.3.5 on Android. This vulnerability affects unknown code of the file campusconnect/BuildConfig.java of the component campusconnect.ucc. This manipulation causes use of hard-coded cryptographic key\r . The attack can only be executed locally. The exploit has been published and may be used."}], "id": "CVE-2026-5452", "lastModified": "2026-04-24T18:13:28.877", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 1.7, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.1, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-03T04:17:10.950", "references": [{"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/781757"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355040"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355040/cti"}, {"source": "cna@vuldb.com", "url": "https://www.notion.so/Uploadcare-Private-Key-Exposure-Leading-to-Unauthorized-File-Operations-and-Potential-RCE-in-campusc-3262de3f97fb8057bc67ec4320672d99?source=copy_link"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-320"}, {"lang": "en", "value": "CWE-321"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "14.3.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "14.3.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "14.3.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "14.3.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "14.3.4"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "14.3.5"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "CampusConnect App", "source": "cna", "vendor": "UCC"}, "product": "campusconnect_app", "vendor": "ucc"}], "analysis": {"en": {"generated_at": "2026-04-03T06:20:46.323319+00:00", "value": {"mitigation_remediation": ["Verify you are running UCC CampusConnect App version 14.3.5 or later; if not, update immediately.", "If an updated version is not available, uninstall the app until a vendor release corrects the hard\u2011coded key issue.", "Limit local user access to the device or enforce device\u2011level encryption to reduce the chances of local exploitation.", "Monitor the device for unexpected file operations or application crashes that may indicate exploitation attempts.", "Contact UCC support or consult their security advisory channels for a confirmed patch or further guidance."], "summary": {"action": "Immediate Patch", "impact": "Local key exposure that can enable unauthorized file access and potential code execution."}, "threat_synthesis": {"affected_systems": "All instances of UCC CampusConnect App installed on Android devices running version 14.3.5 or earlier are affected. The issue originates in the campusconnect/BuildConfig.java source, and the vulnerability exists up to and including build 14.3.5. No additional versions have been documented as impacted.", "description_and_impact": "A flaw in the UCC CampusConnect Android application causes a hard\u2011coded cryptographic key to be used by the campusconnect.ucc component. This deficiency is classified as a cryptographic key management weakness, which can result in the exposure of sensitive data. An attacker with local access to the device could exploit this defect to read or manipulate protected files, and in some configurations may be able to execute arbitrary code. The vulnerability is listed under CWE\u2011320 and CWE\u2011321.", "risk_and_exploitability": "The CVSS base score is 4.8, indicating a moderate impact. EPSS data is not available, and the vulnerability is not included in the CISA KEV catalog, which suggests a lower probability of widespread exploitation at present. Nevertheless, because the flaw can be triggered on any device that has local administrative or user access, the risk to each compromised device is relatively high. An attacker would need physical or local logical access, but once that is achieved, no further remote entry is required."}}}}, "created": "2026-04-03T07:31:10.704439+00:00", "updated": "2026-04-03T09:15:58.346248+00:00", "vendors": ["ucc", "ucc$PRODUCT$campusconnect_app"]}