Description
A security flaw has been discovered in PropertyGuru AgentNet Singapore App up to 23.7.10 on Android. This affects an unknown function of the file com/allproperty/android/agentnet/BuildConfig.java of the component com.allproperty.android.agentnet. The manipulation of the argument SEGMENT_ANDROID_WRITE_KEY/SEGMENT_TOS_WRITE_KEY results in use of hard-coded cryptographic key
. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-03
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local data manipulation via exposed segment write key
Action: Update App
AI Analysis

Impact

A flaw in the PropertyGuru AgentNet Singapore App’s BuildConfig.java file allows the hard‑coded SEGMENT_ANDROID_WRITE_KEY and SEGMENT_TOS_WRITE_KEY to be used when the arguments are manipulated. Because the key is embedded in the application, a local attacker can craft requests that leverage this key, enabling injection of data or alteration of user profiles through the Segment analytics service. The vulnerability does not provide remote code execution but can compromise data integrity and privacy for users of the affected app.

Affected Systems

Vendors and products affected are the PropertyGuru AgentNet Singapore App, any Android installation of the app with a version of 23.7.10 or earlier. No other vendors or products are listed, and no broader platform or operating system impact is described in the advisory.

Risk and Exploitability

The CVSS score of 4.8 indicates medium severity, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. Because exploitation requires a local foothold on the device, the attack vector is limited to users who already have the app installed or have gained local device access. However, once the key is exposed, an attacker can send malicious payloads to the Segment endpoint, potentially creating a persistent data injection issue. Given the publicly released exploit, the risk is elevated for devices that remain on vulnerable releases until a vendor patch or a viable workaround is applied.

Generated by OpenCVE AI on April 3, 2026 at 10:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and install the latest version of PropertyGuru AgentNet Singapore App as soon as a vendor patch is available
  • If no update is available, disable or block outbound traffic from the app to Segment analytics endpoints whenever possible to prevent data injection
  • Continuously monitor vendor advisories and security bulletins for a formal fix or additional guidance

Generated by OpenCVE AI on April 3, 2026 at 10:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Propertyguru
Propertyguru agentnet Singapore App
Vendors & Products Propertyguru
Propertyguru agentnet Singapore App

Fri, 03 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 07:45:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in PropertyGuru AgentNet Singapore App up to 23.7.10 on Android. This affects an unknown function of the file com/allproperty/android/agentnet/BuildConfig.java of the component com.allproperty.android.agentnet. The manipulation of the argument SEGMENT_ANDROID_WRITE_KEY/SEGMENT_TOS_WRITE_KEY results in use of hard-coded cryptographic key . The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title PropertyGuru AgentNet Singapore App com.allproperty.android.agentnet BuildConfig.java hard-coded key
Weaknesses CWE-320
CWE-321
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Propertyguru Agentnet Singapore App
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-03T14:44:45.908Z

Reserved: 2026-04-02T22:21:55.784Z

Link: CVE-2026-5457

cve-icon Vulnrichment

Updated: 2026-04-03T14:44:41.715Z

cve-icon NVD

Status : Deferred

Published: 2026-04-03T07:16:20.793

Modified: 2026-04-24T18:13:28.877

Link: CVE-2026-5457

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:17:05Z

Weaknesses