Skip to main content

Hikvision Hik-Connect App CVE-2026-32684

| EUVDEUVD-2026-29447 LOW
Incorrect Permission Assignment for Critical Resource (CWE-732)
2026-05-12 hikvision GHSA-76rw-6xcg-jrh4
2.9
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
2.9 LOW
AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 11:32 vuln.today
CVE Published
May 12, 2026 - 10:51 nvd
LOW 2.9

DescriptionCVE.org

The application does not impose strict enough restrictions on directory access permissions, posing a risk that other malicious applications could obtain sensitive information.

AnalysisAI

Hikvision Hik-Connect App fails to enforce strict directory access permissions, allowing other locally-installed applications to read sensitive information stored by the app on the device filesystem. The vulnerability requires local access and high attack complexity but poses information disclosure risk to users with multiple apps on the same device. No public exploit or active exploitation has been identified; CVSS score of 2.9 reflects the local-only attack vector and limited confidentiality impact.

Technical ContextAI

The vulnerability stems from inadequate filesystem permission controls on directories and files used by the Hik-Connect mobile application. Rather than a cryptographic or protocol-level flaw, this is a configuration/implementation issue where the app stores sensitive data (likely authentication tokens, user credentials, or personal information) in filesystem locations that are readable by other applications running under different user contexts or with elevated privileges on the same device. This is classified as an information disclosure vulnerability (CWE not specified but likely CWE-276: Incorrect Default Permissions or CWE-377: Insecure Temporary File). The attack surface is constrained to local access on the device where Hik-Connect is installed-typically a smartphone or tablet.

RemediationAI

Hikvision should update the Hik-Connect App to a patched version that enforces strict directory permissions (mode 0700 or equivalent platform-specific private storage) on all directories and files containing sensitive data, and ensures the app uses platform-provided secure storage mechanisms (Android KeyStore on Android, Keychain on iOS). Users should immediately update the Hik-Connect App through their device's official app store to receive the security patch once released. As a compensating control pending patching, users should avoid installing untrusted third-party applications on devices running Hik-Connect, and should review and restrict permissions granted to other installed apps (particularly file system access permissions). Additionally, users should disable any non-essential APIs or debug modes in Hik-Connect if available. Note that these compensating controls do not eliminate the vulnerability but reduce the likelihood of exploitation by limiting the attack surface.

Share

CVE-2026-32684 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy