CVE-2026-8032

High

Published: 06 May 2026

Published

06 May 2026

Modified

07 May 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0004 11.3th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-8032 is a high-severity Use of Hard-coded Password (CWE-259) vulnerability in Google (inferred from references). Its CVSS base score is 7.3 (High).

Operationally, ranked at the 11.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

IA-5 Authenticator Management

addresses: CWE-259 CWE-798

Changing default authenticators prior to first use directly prevents use of hard-coded passwords.

PM-16 Threat Awareness Program

addresses: CWE-798 CWE-259

Intelligence programs surface reports of campaigns that abuse hard-coded credentials in products, prompting removal or replacement and thereby reducing successful exploitation.

SA-21 Developer Screening

addresses: CWE-798 CWE-259

Vetting reduces the chance a developer will deliberately insert hard-coded credentials as a backdoor or unauthorized access mechanism.

SR-6 Supplier Assessments and Reviews

addresses: CWE-798 CWE-259

Supplier risk reviews identify and discourage hard-coded credentials in delivered products or services.

AC-9 Previous Logon Notification

addresses: CWE-798

Enables users to notice when hard-coded credentials have been exploited for unauthorized access.

AT-3 Role-based Training

addresses: CWE-798

Security training explicitly warns against hard-coded credentials, lowering their use in systems.

IA-1 Policy and Procedures

addresses: CWE-798

Policy and procedures prohibit hard-coded credentials in favor of managed authentication.

IA-13 Identity Providers and Authorization Servers

addresses: CWE-798

External identity providers eliminate the need for hard-coded credentials in applications.

NVD Description

A flaw has been found in PicoTronica e-Clinic Healthcare System ECHS 5.7. The impacted element is an unknown function of the file /cdemos/echs/priv/echs.js. This manipulation of the argument ADMIN_KEY causes hard-coded credentials. The attack is possible to be carried out…

remotely. The exploit has been published and may be used. Upgrading to version 5.7.1 is sufficient to resolve this issue. The affected component should be upgraded. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-259 CWE-798

Affected Products

Google

—

inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-2616Shared CWE-259, CWE-798

CVE-2025-11126Shared CWE-259, CWE-798

CVE-2025-2343Shared CWE-259, CWE-798

CVE-2026-4475Shared CWE-259, CWE-798

CVE-2026-1610Shared CWE-259, CWE-798

CVE-2025-8974Shared CWE-259, CWE-798

CVE-2025-8730Shared CWE-259, CWE-798

CVE-2026-6574Shared CWE-259, CWE-798

CVE-2026-7579Shared CWE-259, CWE-798

CVE-2026-24346Shared CWE-798

References

https://docs.google.com/document/d/1w1veNs8I3nxsVxbSiIgJmt-4S5a0rW0bvjDvEe7iDr0/edit?usp=sharing
cna@vuldb.com
https://vuldb.com/submit/800792
cna@vuldb.com
https://vuldb.com/vuln/361358
cna@vuldb.com
https://vuldb.com/vuln/361358/cti
cna@vuldb.com