CVE-2026-1816 PUBLISHED

OTP Bypass in TEİAŞ's Mobile Application

Assigner: TR-CERT
Reserved: 03.02.2026 Published: 21.05.2026 Updated: 21.05.2026

Improper restriction of excessive authentication attempts vulnerability in Turkiye Electricity Transmission Corporation (TEİAŞ) Mobile Application allows Brute Force.

This issue affects Mobile Application: from 1.6.2 before 1.13.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
CVSS Score: 6.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	Low
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Turkiye Electricity Transmission Corporation (TEİAŞ)
Product	Mobile Application
Versions	Default: unaffected affected from 1.6.2 to 1.13 (excl.)

Credits

Metin ÖGTEM finder

References

https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0286

Problem Types

CWE-307 Improper restriction of excessive authentication attempts CWE

Impacts

CAPEC-112 Brute Force