CVE-2026-1612 MEDIUM

CVE-2026-1612: Hard-coded AWS Key in AL-KO Robolinho Update Software

Vendor Al-Ko
Product Robolinho Update Software
Weakness CWE-798 · Hardcoded credentials
Published March 30, 2026
Last update April 13, 2026

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

AL-KO Robolinho Update Software has hard-coded AWS Access and Secret keys that allow anyone to access AL-KO's AWS bucket. Using the keys directly might give the attacker greater access than the app itself. Key grants AT LEAST read access to some of the objects in bucket. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 8.0.21.0610 and 8.0.22.0524 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

Key dates

02Disclosure timeline

March 30, 2026 CVE published
April 13, 2026 Record updated