CVE-2026-4217

LOW 2.5

XREAL Nebula App ai.nreal.nebula.universal CloudStoragePlugin.java credentials storage

CVSS Score

2.5

EPSS Score

0.0%

EPSS Percentile

0th

A security vulnerability has been detected in XREAL Nebula App up to 3.2.1 on Android. This impacts an unknown function of the file in ai/nreal/nebula/flutterPlugin/CloudStoragePlugin.java of the component ai.nreal.nebula.universal. Such manipulation of the argument accessKey/secretAccessKey/securityToken leads to unprotected storage of credentials. The attack can only be performed from a local environment. The attack requires a high level of complexity. The exploitability is said to be difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE	CWE-256 CWE-255
Vendor	xreal
Product	nebula app
Published	Mar 16, 2026
Last Updated	Mar 16, 2026

Stay Ahead of the Next One

Get instant alerts for xreal nebula app

Be the first to know when new low vulnerabilities affecting xreal nebula app are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

XREAL / Nebula App

3.2.0 3.2.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/?id.351141 vuldb.com: https://vuldb.com/?ctiid.351141 vuldb.com: https://vuldb.com/?submit.770503 notion.so: https://www.notion.so/Exposed-Cryptographic-Key-and-IV-in-ai-nreal-nebula-universal-3172de3f97fb80b5a987eac2c49527e2?source=copy_link

Credits

🔍 fxizenta (VulDB User) VulDB