CVE-2026-5458 - Vulnerability Details

Description

A weakness has been identified in Noelse Individuals & Pro App up to 2.1.7 on Android. This impacts an unknown function of the file com/reactnative/antelop/BuildConfig.java of the component com.afone.noelse. This manipulation of the argument SEGMENT_WRITE_KEY causes use of hard-coded cryptographic key
. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-04-03

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A weakness in the Noelse Individuals & Pro App allows manipulation of the SEGMENT_WRITE_KEY argument in the BuildConfig.java file, causing the application to use a hard‑coded cryptographic key. This flaw enables local attackers to inject data or alter user profiles, compromising both the confidentiality and integrity of sensitive information. The issue corresponds to key management and key generation weaknesses (CWE‑320, CWE‑321).

Affected Systems

The vulnerability affects Android users of Noelse Individuals & Pro App up to version 2.1.7. It involves the com.reactnative.antelope.BuildConfig.java component within com.afone.noelse and is specific to the vendor Noelse.

Risk and Exploitability

With a CVSS score of 4.8 the risk is moderate. Although EPSS data is unavailable and the flaw is not listed in CISA’s KEV catalog, a publicly available exploit exists and the attack model requires local execution on the device. Because the vendor has not yet responded to the disclosure, the likelihood of a future patch remains uncertain, increasing the potential for unmitigated exploitation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Noelse

Individuals & Pro App

affected

Version	Status	Constraints
`2.1.0`	affected	—
`2.1.1`	affected	—
`2.1.2`	affected	—
`2.1.3`	affected	—
`2.1.4`	affected	—
`2.1.5`	affected	—
`2.1.6`	affected	—
`2.1.7`	affected	—

No data.

Vendor Product Confidence Versions

Noelse

Individuals & Pro App

100%

Version	Status	Scheme	Platform
`2.1.0`	affected	semver	—
`2.1.1`	affected	semver	—
`2.1.2`	affected	semver	—
`2.1.3`	affected	semver	—
`2.1.4`	affected	semver	—
`2.1.5`	affected	semver	—
`2.1.6`	affected	semver	—
`2.1.7`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Verify the installed Noelse Individuals & Pro App version and ensure it is not 2.1.7 or lower.
Search for and apply any vendor‑supplied patch or newer release that eliminates the hard‑coded key.
If no patch is available, consider uninstalling the application or restricting its device permissions until a fix is issued.
Monitor device activity for unexpected data writes or profile changes that may indicate exploitation.
Reach out to Noelse to request a security fix timeline and follow up if no response is received.

Generated by OpenCVE AI on April 3, 2026 at 10:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Local

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00011.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://vuldb.com/submit/781766
https://vuldb.com/vuln/355046
https://vuldb.com/vuln/355046/cti
https://www.notion.so/Segment-Write-Key-Exposure-Leading-to-Data-Injection-and-User-Profile-Manipulation-In-com-afone-noel-3262de3f97fb80549986ddd8a160ed32?source=copy_link

History

Fri, 03 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Noelse Noelse individuals & Pro App
Vendors & Products		Noelse Noelse individuals & Pro App

Fri, 03 Apr 2026 12:45:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 03 Apr 2026 07:45:00 +0000

Type	Values Removed	Values Added
Description		A weakness has been identified in Noelse Individuals & Pro App up to 2.1.7 on Android. This impacts an unknown function of the file com/reactnative/antelop/BuildConfig.java of the component com.afone.noelse. This manipulation of the argument SEGMENT_WRITE_KEY causes use of hard-coded cryptographic key . The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title		Noelse Individuals & Pro App com.afone.noelse BuildConfig.java hard-coded key
Weaknesses		CWE-320 CWE-321
References		https://vuldb.com/submit/781766 https://vuldb.com/vuln/355046 https://vuldb.com/vuln/355046/cti https://www.notion.so/Segment-Write-Key-Exposure-Leading-to-Data-Injection-and-User-Profile-Manipulation-In-com-afone-noel-3262de3f97fb80549986ddd8a160ed32?source=copy_link
Metrics		cvssV2_0 `{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Noelse Individuals & Pro App

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-03T07:00:16.331Z

Updated: 2026-04-03T11:17:55.821Z

Reserved: 2026-04-02T22:23:25.416Z

Link: CVE-2026-5458

Vulnrichment

Updated: 2026-04-03T11:17:29.777Z

NVD

Status : Awaiting Analysis

Published: 2026-04-03T07:16:21.037

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-5458

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-03T21:17:04Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Local

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object