{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28553", "assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e", "state": "PUBLISHED", "assignerShortName": "huawei", "dateReserved": "2026-02-28T03:58:12.089Z", "datePublished": "2026-04-13T03:53:07.148Z", "dateUpdated": "2026-04-13T03:53:07.148Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "25ac1063-e409-4190-8079-24548c77ea2e", "shortName": "huawei", "dateUpdated": "2026-04-13T03:53:07.148Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-275", "description": "CWE-275 Permission Issues", "type": "CWE"}]}], "affected": [{"vendor": "Huawei", "product": "HarmonyOS", "versions": [{"status": "affected", "version": "4.3.1"}, {"status": "affected", "version": "4.3.0"}, {"status": "affected", "version": "4.2.0"}, {"status": "affected", "version": "4.0.0"}], "defaultStatus": "unaffected"}, {"vendor": "Huawei", "product": "EMUI", "versions": [{"status": "affected", "version": "15.0.0"}, {"status": "affected", "version": "14.2.0"}, {"status": "affected", "version": "14.0.0"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Vulnerability of improper permission control in the theme setting module.\nImpact: Successful exploitation of this vulnerability may affect service confidentiality.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Vulnerability of improper permission control in the theme setting module.<br>Impact: Successful exploitation of this vulnerability may affect service confidentiality."}]}], "references": [{"url": "https://consumer.huawei.com/en/support/bulletin/2026/4/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseSeverity": "MEDIUM", "baseScore": 6.9, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability of improper permission control in the theme setting module.\nImpact: Successful exploitation of this vulnerability may affect service confidentiality."}], "id": "CVE-2026-28553", "lastModified": "2026-04-13T04:16:03.650", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.3, "source": "psirt@huawei.com", "type": "Secondary"}]}, "published": "2026-04-13T04:16:03.650", "references": [{"source": "psirt@huawei.com", "url": "https://consumer.huawei.com/en/support/bulletin/2026/4/"}], "sourceIdentifier": "psirt@huawei.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-275"}], "source": "psirt@huawei.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "15.0.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "14.2.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "14.0.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "EMUI", "source": "cna", "vendor": "Huawei"}, "product": "emui", "vendor": "huawei"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.3.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.3.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.2.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.0.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "HarmonyOS", "source": "cna", "vendor": "Huawei"}, "product": "harmonyos", "vendor": "huawei"}], "analysis": {"en": {"generated_at": "2026-04-13T05:20:46.303330+00:00", "value": {"mitigation_remediation": ["Visit the Huawei consumer support bulletin at https://consumer.huawei.com/en/support/bulletin/2026/4/ to review official patch information.", "Download and install the latest firmware or OS update that addresses the permission control flaw.", "After installing the update, verify the integrity of system configuration and confirm that theme settings cannot be accessed without appropriate privileges."], "summary": {"action": "Update Software", "impact": "Unauthorized Information Disclosure"}, "threat_synthesis": {"affected_systems": "Manufacturers affected are Huawei, specifically software versions packaged under the EMUI and HarmonyOS product lines. No precise version numbers are supplied in the advisory; therefore, any device running these operating systems until further notice may be considered vulnerable. Users should consult Huawei\u2019s consumer support bulletin for confirmation of affected releases.", "description_and_impact": "The vulnerability involves improper permission control within the theme setting component of Huawei's EMUI and HarmonyOS operating systems. By bypassing the intended access restrictions, an attacker could read or alter theme\u2011related configuration files, potentially revealing sensitive information tied to the service. The core weakness is a lack of proper privilege checks, aligning with CWE\u2011275. Consequently, the primary impact is a compromise of confidentiality, allowing disclosure of configuration details that may be used for further attacks.", "risk_and_exploitability": "The assigned CVSS score of 6.9 reflects a Moderate severity level, but the vulnerability is neither listed in CISA\u2019s KEV catalog nor associated with a known exploit probability metric. Based on the description, it is inferred that the attack vector requires local interaction with the theme manager or exploitation of unprotected API endpoints exposed to the user interface. Because no remote exploitation mechanism is expressly documented, the exploitation likelihood may be moderate. Prompt patching remains the most effective countermeasure."}}}}, "created": "2026-04-13T12:37:39.351943+00:00", "title": "Improper Permission Control in Huawei EMUI and HarmonyOS Theme Setting Module", "updated": "2026-04-13T12:53:26.801088+00:00", "vendors": ["huawei", "huawei$PRODUCT$emui", "huawei$PRODUCT$harmonyos"]}