{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21013", "assignerOrgId": "3af57064-a867-422c-b2ad-40307b65c458", "state": "PUBLISHED", "assignerShortName": "SamsungMobile", "dateReserved": "2025-12-11T01:33:35.803Z", "datePublished": "2026-04-13T05:04:45.232Z", "dateUpdated": "2026-04-13T14:35:12.877Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-276: Incorrect Default Permission"}]}], "affected": [{"vendor": "Samsung Mobile", "product": "Galaxy Wearable", "versions": [{"status": "unaffected", "version": "2.2.68.26", "versionType": "semver", "lessThan": "*"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Incorrect default permission in Galaxy Wearable prior to version 2.2.68.26 allows local attackers to access sensitive information."}], "references": [{"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=04"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "baseSeverity": "MEDIUM"}}], "providerMetadata": {"orgId": "3af57064-a867-422c-b2ad-40307b65c458", "shortName": "SamsungMobile", "dateUpdated": "2026-04-13T05:04:45.232Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T14:34:54.695158Z", "id": "CVE-2026-21013", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T14:35:12.877Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21013", "assignerOrgId": "3af57064-a867-422c-b2ad-40307b65c458", "state": "PUBLISHED", "assignerShortName": "SamsungMobile", "dateReserved": "2025-12-11T01:33:35.803Z", "datePublished": "2026-04-13T05:04:45.232Z", "dateUpdated": "2026-04-13T14:35:12.877Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-276: Incorrect Default Permission"}]}], "affected": [{"vendor": "Samsung Mobile", "product": "Galaxy Wearable", "versions": [{"status": "unaffected", "version": "2.2.68.26", "versionType": "semver", "lessThan": "*"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Incorrect default permission in Galaxy Wearable prior to version 2.2.68.26 allows local attackers to access sensitive information."}], "references": [{"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=04"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "baseSeverity": "MEDIUM"}}], "providerMetadata": {"orgId": "3af57064-a867-422c-b2ad-40307b65c458", "shortName": "SamsungMobile", "dateUpdated": "2026-04-13T05:04:45.232Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21013", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T14:34:54.695158Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T14:35:06.030Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect default permission in Galaxy Wearable prior to version 2.2.68.26 allows local attackers to access sensitive information."}], "id": "CVE-2026-21013", "lastModified": "2026-04-13T15:01:43.663", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "mobile.security@samsung.com", "type": "Secondary"}]}, "published": "2026-04-13T06:16:06.010", "references": [{"source": "mobile.security@samsung.com", "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=04"}], "sourceIdentifier": "mobile.security@samsung.com", "vulnStatus": "Awaiting Analysis"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[2.2.68.26,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Galaxy Wearable", "source": "cna", "vendor": "Samsung Mobile"}, "product": "galaxy_wearable", "vendor": "samsung_mobile"}], "analysis": {"en": {"generated_at": "2026-04-13T07:51:03.500558+00:00", "value": {"mitigation_remediation": ["Apply the official firmware update to version\u202f2.2.68.26 or later on all Samsung Galaxy Wearable devices.", "If an update is not available, lock the device, restrict application permissions, and avoid sharing sensitive data over the device.", "Monitor device logs and usage for abnormal access patterns and report any suspicious activity to Samsung support."], "summary": {"action": "Patch", "impact": "Sensitive information disclosure"}, "threat_synthesis": {"affected_systems": "The affected product is Samsung Mobile's Galaxy Wearable firmware on compatible wearable devices. Versions earlier than 2.2.68.26 are vulnerable. No specific device models are listed, so all Galaxy Wearable devices with firmware before that version are at risk.", "description_and_impact": "The vulnerability originates from an incorrectly configured default permission in Samsung Mobile's Galaxy Wearable firmware before version\u202f2.2.68.26. Because the default settings grant broader access than intended, a local attacker can read restricted files or data stored on the wearable, leading to accidental or intentional disclosure of personal or sensitive information. This weakness represents an improper access control (CWE\u2011284) and can expose data that a user entrusts to the device.", "risk_and_exploitability": "The reported CVSS score of\u202f6.9 indicates moderate severity, primarily because the attack requires local access. The EPSS score is not available, so exploitation likelihood is not quantified. The vulnerability is not listed in CISA's KEV catalog. Based on the description, it appears the attack vector is local, meaning the attacker must have physical possession of the wearable or be paired with a compromised smartphone. Once local access is achieved, the attacker can read protected data, potentially leading to privacy violations."}}}}, "created": "2026-04-13T12:37:08.014892+00:00", "title": "Galaxy Wearable Default Permission Misconfiguration Exposes Sensitive Information", "updated": "2026-04-13T12:52:55.486252+00:00", "vendors": ["samsung_mobile", "samsung_mobile$PRODUCT$galaxy_wearable"], "weaknesses": ["CWE-284"]}