CVE-2026-1612

Hard-coded AWS Key in AL-KO Robolinho Update Software

Assigner: CERT-PL
Reserved: 29.01.2026 Published: 30.03.2026 Updated: 30.03.2026

AL-KO Robolinho Update Software has hard-coded AWS Access and Secret keys that allow anyone to access AL-KO's AWS bucket. Using the keys directly might give the attacker greater access than the app itself. Key grants AT LEAST read access to some of the objects in bucket.

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 8.0.21.0610 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 6.9

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	AL-KO
Product	Robolinho Update Software
Versions	Default: unknown Version 8.0.21.0610 is affected

Vendor

AL-KO

Product

Robolinho Update Software

Versions

Default: unknown

Version 8.0.21.0610 is affected

Credits

Piotr Ptaszek finder

References

Problem Types