Vulnerability in Setracker2 Android Companion App Affects User Authentication
CVE-2026-9221
8.7HIGH
What is CVE-2026-9221?
The Setracker2 Android Companion App for tracking devices is vulnerable due to its use of MD5 for generating request signatures, allowing attackers to reverse-engineer the signature and obtain session IDs. This exposure enables unauthorized impersonation of legitimate users, permitting attackers to send authenticated requests to the backend REST API, compromising the application's security and user privacy.
Affected Version(s)
Setracker2 Parental Control App (Android) package com.tgelec.setracker 0 <= 3.1.5
References
CVSS V4
Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Huancheng Hu of Hasso Plattner Institute reported these vulnerabilities to CISA, with support from Prof. Christian Doerr.