CVE-2026-5458: Use of Hard-coded Cryptographic Key in Noelse Individuals & Pro App
CVE-2026-5458 is a medium severity vulnerability in the Noelse Individuals & Pro App for Android versions up to 2. 1. 7. It involves the use of a hard-coded cryptographic key within the app's code, specifically in the file com/reactnative/antelop/BuildConfig. java. Exploitation requires local access to the device. The vendor has not responded to disclosure attempts, and no official patch or remediation guidance is currently available. The vulnerability could potentially allow attackers with local access to misuse the hard-coded key, but the exact impact is limited by the need for local attack conditions.
AI Analysis
Technical Summary
This vulnerability concerns the presence of a hard-coded cryptographic key in the Noelse Individuals & Pro App (versions 2.1.0 through 2.1.7) on Android. The key is embedded in the app's BuildConfig.java file under the argument SEGMENT_WRITE_KEY. Because the key is hard-coded, it may be extracted or misused by an attacker with local access to the device. The vulnerability does not require user interaction and has low complexity but requires local privileges. There is no vendor response or patch available at this time.
Potential Impact
The use of a hard-coded cryptographic key can weaken the security of cryptographic operations within the app, potentially allowing an attacker with local access to compromise confidentiality or integrity related to the key's usage. However, exploitation requires local access, limiting the attack surface. No known exploits are reported in the wild. The medium CVSS score (4.8) reflects these factors.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vendor has not responded and no official fix is available, users should avoid running the affected app versions on untrusted devices or environments. Monitoring for vendor updates is recommended. No specific workaround or temporary fix is documented.
CVE-2026-5458: Use of Hard-coded Cryptographic Key in Noelse Individuals & Pro App
Description
CVE-2026-5458 is a medium severity vulnerability in the Noelse Individuals & Pro App for Android versions up to 2. 1. 7. It involves the use of a hard-coded cryptographic key within the app's code, specifically in the file com/reactnative/antelop/BuildConfig. java. Exploitation requires local access to the device. The vendor has not responded to disclosure attempts, and no official patch or remediation guidance is currently available. The vulnerability could potentially allow attackers with local access to misuse the hard-coded key, but the exact impact is limited by the need for local attack conditions.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability concerns the presence of a hard-coded cryptographic key in the Noelse Individuals & Pro App (versions 2.1.0 through 2.1.7) on Android. The key is embedded in the app's BuildConfig.java file under the argument SEGMENT_WRITE_KEY. Because the key is hard-coded, it may be extracted or misused by an attacker with local access to the device. The vulnerability does not require user interaction and has low complexity but requires local privileges. There is no vendor response or patch available at this time.
Potential Impact
The use of a hard-coded cryptographic key can weaken the security of cryptographic operations within the app, potentially allowing an attacker with local access to compromise confidentiality or integrity related to the key's usage. However, exploitation requires local access, limiting the attack surface. No known exploits are reported in the wild. The medium CVSS score (4.8) reflects these factors.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vendor has not responded and no official fix is available, users should avoid running the affected app versions on untrusted devices or environments. Monitoring for vendor updates is recommended. No specific workaround or temporary fix is documented.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-04-02T22:23:25.416Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69cf69120a160ebd92df90e5
Added to database: 4/3/2026, 7:15:30 AM
Last enriched: 4/10/2026, 9:16:05 AM
Last updated: 5/20/2026, 6:14:39 AM
Views: 106
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.