CVE-2026-5471 - Vulnerability Details

- Investory Toy Planet Trouble App app.investory.toyfactory google-services-desktop.json hard-coded key

Description

A vulnerability was detected in Investory Toy Planet Trouble App up to 1.5.5 on Android. Impacted is an unknown function of the file assets/google-services-desktop.json of the component app.investory.toyfactory. The manipulation of the argument current_key results in use of hard-coded cryptographic key
. The attack must be initiated from a local position. The exploit is now public and may be used.

Published: 2026-04-03

Score: 4.8 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability exists in the Android release of the Investory Toy Planet Trouble App up to version 1.5.5. The flaw lies in the assets file google‑services‑desktop.json, where manipulation of the current_key parameter results in the app using a hard‑coded cryptographic key. This exposes cryptographic material that could be used to decrypt stored data or forge authentication tokens. The weakness is associated with CWE‑320 (Use of Hard‑coded Cryptography) and CWE‑321 (Use of Predictably Generated Keys). The primary impact is a potential loss of confidentiality and integrity for user data stored or transmitted by the app.

Affected Systems

The affected product is the Investory:Toy Planet Trouble App for Android, versions up to and including 1.5.5. The component specifically impacted is app.investory.toyfactory; no other vendors or products are listed.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity. The exploit requires a local attack, meaning the attacker must have physical or local access to the device to modify the argument. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector involves local manipulation of the asset file, allowing an attacker to leverage the hard‑coded key to compromise data confidentiality and integrity.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Investory

Toy Planet Trouble App

affected

Version	Status	Constraints
`1.5.0`	affected	—
`1.5.1`	affected	—
`1.5.2`	affected	—
`1.5.3`	affected	—
`1.5.4`	affected	—
`1.5.5`	affected	—

No data.

Vendor Product Confidence Versions

Investory

Toy Planet Trouble App

100%

Version	Status	Scheme	Platform
`[1.5.0,1.5.5]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest vendor patch for Investory Toy Planet Trouble App (upgrade to a version newer than 1.5.5 if available).
If no patch is available, uninstall the application or restrict its installation to trusted devices.
Ensure that devices run reproducible builds and verify the integrity of asset files as part of device hardening procedures.

Generated by OpenCVE AI on April 3, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Local

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://vuldb.com/submit/781784
https://vuldb.com/vuln/355075
https://vuldb.com/vuln/355075/cti
https://www.notion.so/Firebase-API-Key-Exposure-Leading-to-Unauthorized-Anonymous-Authentication-and-Data-Access-in-app-in-3262de3f97fb80f1abe6fb5f3eb373bc?source=copy_link

History

Fri, 03 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Investory Investory toy Planet Trouble App
Vendors & Products		Investory Investory toy Planet Trouble App

Fri, 03 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in Investory Toy Planet Trouble App up to 1.5.5 on Android. Impacted is an unknown function of the file assets/google-services-desktop.json of the component app.investory.toyfactory. The manipulation of the argument current_key results in use of hard-coded cryptographic key . The attack must be initiated from a local position. The exploit is now public and may be used.
Title		Investory Toy Planet Trouble App app.investory.toyfactory google-services-desktop.json hard-coded key
Weaknesses		CWE-320 CWE-321
References		https://vuldb.com/submit/781784 https://vuldb.com/vuln/355075 https://vuldb.com/vuln/355075/cti https://www.notion.so/Firebase-API-Key-Exposure-Leading-to-Unauthorized-Anonymous-Authentication-and-Data-Access-in-app-in-3262de3f97fb80f1abe6fb5f3eb373bc?source=copy_link
Metrics		cvssV2_0 `{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Investory Toy Planet Trouble App

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-03T15:45:10.403Z

Updated: 2026-04-03T15:45:10.403Z

Reserved: 2026-04-03T07:37:53.776Z

Link: CVE-2026-5471

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-03T16:16:45.540

Modified: 2026-04-03T16:16:45.540

Link: CVE-2026-5471

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-03T21:15:12Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Local

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object