{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5455", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-02T22:15:29.975Z", "datePublished": "2026-04-03T06:00:20.124Z", "dateUpdated": "2026-04-03T12:49:28.090Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-03T06:00:20.124Z"}, "title": "Dialogue App ca.diagram.dialogue config.json hard-coded key", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-321", "lang": "en", "description": "Use of Hard-coded Cryptographic Key"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-320", "lang": "en", "description": "Key Management Error"}]}], "affected": [{"vendor": "n/a", "product": "Dialogue App", "versions": [{"version": "4.3.0", "status": "affected"}, {"version": "4.3.1", "status": "affected"}, {"version": "4.3.2", "status": "affected"}], "modules": ["ca.diagram.dialogue"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in Dialogue App up to 4.3.2 on Android. The affected element is an unknown function of the file file\u00a0res/raw/config.json of the component ca.diagram.dialogue. Executing a manipulation of the argument SEGMENT_WRITE_KEY can lead to use of hard-coded cryptographic key\r . The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-02T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-03T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-03T00:20:37.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "fxizenta (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/355043", "name": "VDB-355043 | Dialogue App ca.diagram.dialogue config.json hard-coded key", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/355043/cti", "name": "VDB-355043 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/781761", "name": "Submit #781761 | Dialogue Dialogue(ca.diagram.dialogue) 4.3.2 Segment Write Key Exposure", "tags": ["third-party-advisory"]}, {"url": "https://www.notion.so/Segment-Write-Key-Exposure-Leading-to-Data-Injection-and-User-Profile-Manipulation-In-ca-diagram-dia-3262de3f97fb802fb5f0d2c9d179dcf6?source=copy_link", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T12:49:21.266978Z", "id": "CVE-2026-5455", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T12:49:28.090Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in Dialogue App up to 4.3.2 on Android. The affected element is an unknown function of the file file\u00a0res/raw/config.json of the component ca.diagram.dialogue. Executing a manipulation of the argument SEGMENT_WRITE_KEY can lead to use of hard-coded cryptographic key\r . The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-5455", "lastModified": "2026-04-03T07:16:20.210", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 1.7, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.1, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-03T07:16:20.210", "references": [{"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/781761"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355043"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355043/cti"}, {"source": "cna@vuldb.com", "url": "https://www.notion.so/Segment-Write-Key-Exposure-Leading-to-Data-Injection-and-User-Profile-Manipulation-In-ca-diagram-dia-3262de3f97fb802fb5f0d2c9d179dcf6?source=copy_link"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-320"}, {"lang": "en", "value": "CWE-321"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.3.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.3.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.3.2"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Dialogue App", "source": "cna", "vendor": "n/a"}, "product": "dialogue_app", "vendor": "dialogue"}], "analysis": {"en": {"generated_at": "2026-04-03T08:50:35.282924+00:00", "value": {"mitigation_remediation": ["Update Dialogue App to a newer version that removes the hard\u2011coded SEGMENT_WRITE_KEY.", "If no update is available, uninstall or disable the application to prevent local exploitation.", "Monitor the vendor\u2019s website or security advisories for a patch; consider switching to an alternative app if the issue remains unresolved."], "summary": {"action": "Patch", "impact": "Local Key Exposure"}, "threat_synthesis": {"affected_systems": "The flaw affects Dialogue App version 4.3.2 and earlier on Android devices. No other vendors, products, or versions are documented as impacted.", "description_and_impact": "A hard\u2011coded cryptographic key is stored in the file res/raw/config.json of the ca.diagram.dialogue component of Dialogue App. Manipulating the SEGMENT_WRITE_KEY argument allows local code to activate this hard\u2011coded key, exposing weaknesses identified as CWE-320 and CWE-321. This can enable data injection or unauthorized user\u2011profile manipulation on the device where the app runs.", "risk_and_exploitability": "The CVSS score of 4.8 reflects moderate severity. Exploitation requires local execution; remote attackers cannot reach the vulnerability directly. EPSS data is unavailable and the issue is not listed in the CISA KEV catalog. While the vulnerability is publicly disclosed, only users or malicious applications on the same device can exploit it, limiting its broader threat but still posing a significant risk to device\u2011owner data."}}}}, "created": "2026-04-03T08:57:50.644994+00:00", "updated": "2026-04-03T09:15:43.840686+00:00", "vendors": ["dialogue", "dialogue$PRODUCT$dialogue_app"]}