HIGHCVE-2026-28548CVSS 7.1

CVE-2026-28548: Improper Verification in Email Application

Platform

android

Component

email-application

Fixed in

4.2.1

4.0.1

3.1.1

2.0.1

14.2.1

14.0.1

13.0.1

12.0.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2026-28548 describes an improper verification vulnerability within the Android Email Application. Successful exploitation could compromise the confidentiality of email data. This vulnerability impacts versions of the Email Application up to and including 14.2.0. A patch is expected to address this issue.

Impact and Attack Scenarios

The improper verification flaw allows an attacker to potentially access sensitive email content. This could include personal communications, financial details, or other confidential information stored within the application. While the specific attack vector isn't detailed, the impact centers on unauthorized access to data. The confidentiality of email services is at risk, potentially leading to identity theft, financial fraud, or exposure of sensitive business information. The blast radius extends to any user utilizing the vulnerable version of the Email Application.

Exploitation Context

CVE-2026-28548 was publicly disclosed on 2026-03-05. The vulnerability's severity is rated HIGH (CVSS 7.1). There are currently no publicly available proof-of-concept exploits. The vulnerability is not listed on the CISA KEV catalog as of this writing.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureLow

Reports2 threat reports

EPSS

0.01% (0% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impacttotal

CVSS Vector

Affected Software

Componentemail-application

VendorHuawei

Affected rangeFixed in

4.2.0 – 4.2.04.2.1

4.0.0 – 4.0.04.0.1

3.1.0 – 3.1.03.1.1

2.0.0 – 2.0.02.0.1

14.2.0 – 14.2.014.2.1

14.0.0 – 14.0.014.0.1

13.0.0 – 13.0.013.0.1

12.0.0 – 12.0.012.0.1

Weakness Classification (CWE)

CWE-269

Timeline

Reserved2026-02-28
Published2026-03-05
EPSS updated2026-03-23

Unpatched — 80 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2026-28548 is to upgrade to a patched version of the Android Email Application. Since a specific fixed version isn't provided, users should monitor for updates released by Google. As a temporary workaround, users could consider disabling automatic email syncing or limiting the amount of sensitive information stored within the application until a patch is available. Regularly review app permissions to ensure only necessary access is granted.

How to fix

Actualice la aplicación de correo electrónico a la última versión disponible proporcionada por Huawei para HarmonyOS. Esto solucionará la vulnerabilidad de verificación incorrecta y protegerá la confidencialidad del servicio.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-28548 — Improper Verification in Email Application?

CVE-2026-28548 is a HIGH severity vulnerability affecting the Android Email Application versions up to 14.2.0. It involves improper verification, potentially leading to data confidentiality breaches.

Am I affected by CVE-2026-28548 in Email Application?

If you are using the Android Email Application version 14.2.0 or earlier, you are potentially affected by this vulnerability. Check your app version and update if a patch is available.

How do I fix CVE-2026-28548 in Email Application?

The recommended fix is to upgrade to a patched version of the Android Email Application. Monitor for updates released by Google.

Is CVE-2026-28548 being actively exploited?

As of now, there are no publicly known active exploitation campaigns targeting CVE-2026-28548.

Where can I find the official Android advisory for CVE-2026-28548?

Refer to the official Android Security Bulletins and Google's security pages for updates and advisories related to CVE-2026-28548.

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Android / Gradle

Detect this CVE in your project

Upload your build.gradle file and we'll tell you instantly if you're affected.

Scan free

Search CVEs

Upload build.gradle

What do these metrics mean?

Attack Vector: Local — attacker needs a local shell or interactive session on the system.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: None — unauthenticated. No login or credentials needed to exploit.
User Interaction: Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity: High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability: None — no availability impact. Service remains fully operational.