Skip to main content

Chess.com Android App CVE-2026-13514

| EUVDEUVD-2026-40011 LOW
Improper Authorization (CWE-285)
2026-06-29 cna@vuldb.com GHSA-579g-w2m6-c36g
0.9
CVSS 4.0 · Vendor: vuldb

Severity by source

Vendor (vuldb) PRIMARY
0.9 LOW
CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
2.4 LOW

Physical access required (AV:P) with no privileges or user interaction needed; only limited confidentiality impact from backup data exposure, no integrity or availability effect.

3.1 AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (vuldb).

CVSS VectorVendor: vuldb

CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 29, 2026 - 00:30 vuln.today

DescriptionCVE.org

A weakness has been identified in Chess Play and Learn App up to 4.9.42 on Android. This issue affects some unknown processing of the file AndroidManifest.xml of the component com.chess. This manipulation causes exposure of backup file to an unauthorized control sphere. It is feasible to perform the attack on the physical device. The exploit has been made available to the public and could be used for attacks. Upgrading the affected component is advised. The vendor was informed early about this issue. They confirmed the existence and that they will address it. Furthermore, they explain that their bug bounty "explicitly excludes physical-access attacks". However, they appreciate the quality of the report and aim at making a goodwill payment to the researcher.

AnalysisAI

Chess Play and Learn (chess.com) Android app versions up to 4.9.42 expose application backup files to unauthorized parties through a misconfiguration in AndroidManifest.xml that enables Android's backup mechanism without adequate authorization controls. Physical access to the target device is required to exploit this issue. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain physical USB access to device
Delivery
Enable or exploit existing ADB debug access
Exploit
Execute adb backup for com.chess package
Execution
Extract and decompress backup archive
Impact
Access sensitive app data (tokens/credentials)

Vulnerability AssessmentAI

Exploitation Exploitation requires physical access to the target Android device - the CVSS 4.0 AV:P metric confirms this is not remotely exploitable. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is very low. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker gains brief physical access to a target's Android device - for example, an unlocked phone left unattended - with USB debugging enabled or through ADB access. They connect the device to a laptop and run adb backup -noapk com.chess, extracting the application's data directory. …
Remediation The primary fix is to upgrade to a version of Chess Play and Learn beyond 4.9.42 once the vendor releases a patched build addressing the AndroidManifest.xml backup configuration. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13514 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy