Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
AL-KO Robolinho Update Software has hard-coded AWS Access and Secret keys that allow anyone to access AL-KO's AWS bucket. Using the keys directly might give the attacker greater access than the app itself. Key grants AT LEAST read access to some of the objects in bucket.
The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 8.0.21.0610 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
AnalysisAI
Hard-coded AWS credentials in AL-KO Robolinho Update Software allow unauthenticated attackers to directly access AL-KO's AWS S3 bucket with read permissions and potentially escalated privileges beyond the application's intended access model. Version 8.0.21.0610 is confirmed vulnerable; the full affected version range is unknown due to lack of vendor cooperation. No public exploit code or active exploitation has been reported, but the credentials are trivially extractable from the application binary.
Technical ContextAI
This vulnerability stems from embedded AWS Access Key and Secret Key credentials hardcoded within the AL-KO Robolinho Update Software application binary (CWE-798: Use of Hard-Coded Credentials). When an attacker obtains these credentials through static analysis, reverse engineering, or binary extraction, they can authenticate directly to AWS APIs using the AWS SDK or CLI, bypassing the application layer entirely. This grants access to the underlying S3 bucket at the IAM permission level of the embedded credentials, which may exceed the read-only constraints imposed by the application's user interface. The credential exposure is particularly severe because AWS keys are typically long-lived and grant access to cloud infrastructure that may contain sensitive deployment artifacts, configuration files, or other production data.
RemediationAI
AL-KO must immediately issue a patched version of Robolinho Update Software that removes all hard-coded AWS credentials and implements secure credential management (e.g., IAM roles, temporary STS tokens, or external credential vaults). Users should upgrade to the patched version as soon as it becomes available. In the interim, users should rotate the exposed AWS credentials immediately (delete and regenerate the leaked Access Key and Secret Key in the AWS IAM console) and apply a restrictive bucket policy to limit access to only required services. Additionally, audit S3 CloudTrail logs for any unauthorized access using the compromised credentials. CERT-PL's advisory is available at https://cert.pl/en/posts/2026/03/CVE-2026-1612; users should monitor AL-KO's official security channels for patch releases and vendor communication.
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17077