Which versions of Google are affected by CVE-2026-4216?

Organizations using i-SENS SmartLog App should be aware of moderate risk from CVE-2026-4216, a hard-coded credentials vulnerability rated CVSS 5.3.

Is there a public PoC exploit available for CVE-2026-4216?

Yes, a public proof-of-concept exploit is available for CVE-2026-4216. Prioritise patching immediately. EPSS: 0.0%.

Google CVE-2026-4216

Q: What is the CVSS score of CVE-2026-4216?

CVE-2026-4216 has a CVSS 4.0 base score of 1.9 (Low). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-12335 LOW

Use of Hard-coded Credentials (CWE-798)

2026-03-16 VulDB

Google Authentication Bypass

1.9

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

1.9 LOW

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:11 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:11 NVD

4.8 (MEDIUM) 1.9 (LOW)

CVSS changed

Apr 22, 2026 - 21:37 NVD

5.3 (MEDIUM) 4.8 (MEDIUM)

PoC Detected

Mar 16, 2026 - 14:53 vuln.today

Public exploit code

EUVD ID Assigned

Mar 16, 2026 - 06:00 euvd

EUVD-2026-12335

Analysis Generated

Mar 16, 2026 - 06:00 vuln.today

CVE Published

Mar 16, 2026 - 05:02 nvd

MEDIUM 5.3

DescriptionCVE.org

A weakness has been identified in i-SENS SmartLog App up to 2.6.8 on Android. This affects an unknown function of the component air.SmartLog.android. This manipulation causes hard-coded credentials. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. The vendor explains: "The function referenced in the report currently exists in our deployed system. It is related to a developer mode used during the configuration process for Bluetooth pairing between the blood glucose meter and the SmartLog application. This function is intended for configuration purposes related to device integration and testing. (...) [I]n a future application update, we plan to review measures to either remove the developer mode function or restrict access to it."

AnalysisAI

Hard-coded credentials exist in the i-SENS SmartLog Android application (versions up to 2.6.8) within a developer mode function used for Bluetooth pairing configuration between blood glucose meters and the mobile app. An attacker with local access and low privileges can exploit this to obtain credentials, potentially compromising the integrity and confidentiality of health data. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	While the CVSS 5.3 score reflects moderate severity with confidentiality, integrity, and availability impacts, several factors constrain real-world exploitation risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker with physical access to an Android device running SmartLog 2.6.8 or earlier gains local access to the device (either as a secondary user or through unlocked device access). The attacker navigates to the developer mode function embedded in the air.SmartLog.android component and extracts the hard-coded credentials stored in the application code. …
Remediation	Users should upgrade i-SENS SmartLog to the latest available version once released by i-SENS, which will include removal or restriction of the developer mode containing hard-coded credentials. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 30 days: Identify affected systems running i-SENS SmartLog App and apply vendor patches as part of regular patch cycle. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-4216 vulnerability details – vuln.today

Back