{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5462", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-03T00:50:55.848Z", "datePublished": "2026-04-03T07:15:10.913Z", "dateUpdated": "2026-04-03T19:57:59.689Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-03T07:15:10.913Z"}, "title": "Wahoo Fitness SYSTM App com.WahooFitness.SYSTM BuildConfig.java hard-coded key", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-321", "lang": "en", "description": "Use of Hard-coded Cryptographic Key"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-320", "lang": "en", "description": "Key Management Error"}]}], "affected": [{"vendor": "Wahoo Fitness", "product": "SYSTM App", "versions": [{"version": "7.2.0", "status": "affected"}, {"version": "7.2.1", "status": "affected"}], "modules": ["com.WahooFitness.SYSTM"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in Wahoo Fitness SYSTM App up to 7.2.1 on Android. Impacted is an unknown function of the file com/WahooFitness/SYSTM/BuildConfig.java of the component com.WahooFitness.SYSTM. Such manipulation of the argument SEGMENT_WRITE_KEY leads to use of hard-coded cryptographic key\r . Local access is required to approach this attack. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-03T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-03T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-03T02:56:01.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "fxizenta (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/355053", "name": "VDB-355053 | Wahoo Fitness SYSTM App com.WahooFitness.SYSTM BuildConfig.java hard-coded key", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/355053/cti", "name": "VDB-355053 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/781767", "name": "Submit #781767 | Wahoo Fitness Wahoo SYSTM(com.WahooFitness.SYSTM) 7.2.1 Segment Write Key Exposure", "tags": ["third-party-advisory"]}, {"url": "https://www.notion.so/Segment-Write-Key-Exposure-Leading-to-Data-Injection-and-User-Profile-Manipulation-In-com-WahooFitne-3262de3f97fb8038808eed63af1a48b8?source=copy_link", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T19:57:41.978822Z", "id": "CVE-2026-5462", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T19:57:59.689Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5462", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T19:57:41.978822Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T19:57:50.956Z"}}], "cna": {"title": "Wahoo Fitness SYSTM App com.WahooFitness.SYSTM BuildConfig.java hard-coded key", "credits": [{"lang": "en", "type": "reporter", "value": "fxizenta (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "Wahoo Fitness", "modules": ["com.WahooFitness.SYSTM"], "product": "SYSTM App", "versions": [{"status": "affected", "version": "7.2.0"}, {"status": "affected", "version": "7.2.1"}]}], "timeline": [{"lang": "en", "time": "2026-04-03T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-03T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-03T02:56:01.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/355053", "name": "VDB-355053 | Wahoo Fitness SYSTM App com.WahooFitness.SYSTM BuildConfig.java hard-coded key", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/355053/cti", "name": "VDB-355053 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/781767", "name": "Submit #781767 | Wahoo Fitness Wahoo SYSTM(com.WahooFitness.SYSTM) 7.2.1 Segment Write Key Exposure", "tags": ["third-party-advisory"]}, {"url": "https://www.notion.so/Segment-Write-Key-Exposure-Leading-to-Data-Injection-and-User-Profile-Manipulation-In-com-WahooFitne-3262de3f97fb8038808eed63af1a48b8?source=copy_link", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in Wahoo Fitness SYSTM App up to 7.2.1 on Android. Impacted is an unknown function of the file com/WahooFitness/SYSTM/BuildConfig.java of the component com.WahooFitness.SYSTM. Such manipulation of the argument SEGMENT_WRITE_KEY leads to use of hard-coded cryptographic key\r . Local access is required to approach this attack. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-321", "description": "Use of Hard-coded Cryptographic Key"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-320", "description": "Key Management Error"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-03T07:15:10.913Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5462", "state": "PUBLISHED", "dateUpdated": "2026-04-03T19:57:59.689Z", "dateReserved": "2026-04-03T00:50:55.848Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-03T07:15:10.913Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in Wahoo Fitness SYSTM App up to 7.2.1 on Android. Impacted is an unknown function of the file com/WahooFitness/SYSTM/BuildConfig.java of the component com.WahooFitness.SYSTM. Such manipulation of the argument SEGMENT_WRITE_KEY leads to use of hard-coded cryptographic key\r . Local access is required to approach this attack. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-5462", "lastModified": "2026-04-24T18:13:28.877", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 1.7, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.1, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-03T08:16:17.740", "references": [{"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/781767"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355053"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355053/cti"}, {"source": "cna@vuldb.com", "url": "https://www.notion.so/Segment-Write-Key-Exposure-Leading-to-Data-Injection-and-User-Profile-Manipulation-In-com-WahooFitne-3262de3f97fb8038808eed63af1a48b8?source=copy_link"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-320"}, {"lang": "en", "value": "CWE-321"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "7.2.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "7.2.1"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "SYSTM App", "source": "cna", "vendor": "Wahoo Fitness"}, "product": "systm_app", "vendor": "wahoo_fitness"}], "analysis": {"en": {"generated_at": "2026-04-03T10:21:24.441663+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest version of the SYSTM App that removes the hard\u2011coded key", "Contact Wahoo Fitness for an official patch or guidance", "If an upgrade is not immediately possible, restrict local access to the device and monitor for any suspicious usage of SEGMENT_WRITE_KEY"], "summary": {"action": "Patch immediately", "impact": "Unauthorized disclosure of a cryptographic key through hard-coded configuration"}, "threat_synthesis": {"affected_systems": "Wahoo Fitness SYSTM App on Android, versions up to 7.2.1. The vulnerability resides specifically in the com.WahooFitness.SYSTM component.", "description_and_impact": "The SYSTM App includes a hard\u2011coded cryptographic key in BuildConfig.java, accessed via the SEGMENT_WRITE_KEY argument. Altering this argument causes the application to use the hard\u2011coded key, potentially allowing data injection and manipulation of user profiles. This weakness permits an attacker to compromise the integrity of the data sent to the service.", "risk_and_exploitability": "The CVSS score of 4.8 indicates moderate severity, and the fact that the exploit is publicly available increases the practical risk. Local access is required to manipulate the argument, which limits remote exploitation unless local privilege is obtained. The EPSS score is not available and the vulnerability is not listed in current KEV catalogues, suggesting it is not a widely exploited or prioritized threat at present, but local attackers targeting devices with this app could still pose a risk."}}}}, "created": "2026-04-03T21:14:46.644061+00:00", "updated": "2026-04-03T21:17:03.530270+00:00", "vendors": ["wahoo_fitness", "wahoo_fitness$PRODUCT$systm_app"]}