{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5456", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-02T22:19:54.687Z", "datePublished": "2026-04-03T06:15:12.186Z", "dateUpdated": "2026-04-03T06:15:12.186Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-03T06:15:12.186Z"}, "title": "Align Technology My Invisalign App com.aligntech.myinvisalign.emea BuildConfig.java hard-coded key", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-321", "lang": "en", "description": "Use of Hard-coded Cryptographic Key"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-320", "lang": "en", "description": "Key Management Error"}]}], "affected": [{"vendor": "Align Technology", "product": "My Invisalign App", "versions": [{"version": "3.12.4", "status": "affected"}], "modules": ["com.aligntech.myinvisalign.emea"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in Align Technology My Invisalign App 3.12.4 on Android. The impacted element is an unknown function of the file com/aligntech/myinvisalign/BuildConfig.java of the component com.aligntech.myinvisalign.emea. The manipulation of the argument CDAACCESS_TOKEN leads to use of hard-coded cryptographic key\r . The attack must be carried out locally. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-02T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-03T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-03T00:25:02.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "fxizenta (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/355044", "name": "VDB-355044 | Align Technology My Invisalign App com.aligntech.myinvisalign.emea BuildConfig.java hard-coded key", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/355044/cti", "name": "VDB-355044 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/781763", "name": "Submit #781763 | Align Technology My Invisalign(com.aligntech.myinvisalign.emea) 3.12.4 Contentful CDA Tokens Exposure", "tags": ["third-party-advisory"]}, {"url": "https://www.notion.so/Contentful-CDA-Tokens-Exposure-Leading-to-Unauthorized-Access-to-Master-and-Release-Environments-in--3262de3f97fb802ebd1af88e1264cb9f?source=copy_link", "tags": ["exploit"]}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in Align Technology My Invisalign App 3.12.4 on Android. The impacted element is an unknown function of the file com/aligntech/myinvisalign/BuildConfig.java of the component com.aligntech.myinvisalign.emea. The manipulation of the argument CDAACCESS_TOKEN leads to use of hard-coded cryptographic key\r . The attack must be carried out locally. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-5456", "lastModified": "2026-04-03T07:16:20.570", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 1.7, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.1, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-03T07:16:20.570", "references": [{"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/781763"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355044"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355044/cti"}, {"source": "cna@vuldb.com", "url": "https://www.notion.so/Contentful-CDA-Tokens-Exposure-Leading-to-Unauthorized-Access-to-Master-and-Release-Environments-in--3262de3f97fb802ebd1af88e1264cb9f?source=copy_link"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-320"}, {"lang": "en", "value": "CWE-321"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.12.4"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "My Invisalign App", "source": "cna", "vendor": "Align Technology"}, "product": "my_invisalign_app", "vendor": "align_technology"}], "analysis": {"en": {"generated_at": "2026-04-03T08:50:22.407828+00:00", "value": {"mitigation_remediation": ["Verify installed My Invisalign App version; upgrade to the latest release if available.", "If no patch exists, remove or obfuscate the hard\u2011coded key and avoid using CDAACCESS_TOKEN for encryption.", "Contact Align Technology to request an official security fix and ensure communication is tracked.", "Monitor device logs for abnormal use of CDAACCESS_TOKEN or attempts to retrieve the hard\u2011coded key."], "summary": {"action": "Patch Now", "impact": "Local cryptographic key misuse"}, "threat_synthesis": {"affected_systems": "The affected product is Align Technology\u2019s My Invisalign App version 3.12.4 for Android, specifically the com.aligntech.myinvisalign.emea component. No other versions or platforms are listed as affected.", "description_and_impact": "The vulnerability resides in the BuildConfig.java file of the My Invisalign App where a hard\u2011coded cryptographic key is used when processing the CDAACCESS_TOKEN argument. An adversary who can run code locally on an infected device could read or tamper with data that is encrypted with this key, resulting in potential disclosure or manipulation of sensitive information. The weakness corresponds to hard\u2011coded secrets and use of a hard\u2011coded encryption key.", "risk_and_exploitability": "A CVSS score of 4.8 places the vulnerability in the moderate range, and the publicly available exploit suggests that an attacker who can run code on the device can take advantage of the hard\u2011coded key. Because the attack must be carried out locally, the threat is limited to devices that have already been compromised or are used by personnel who can execute code within the app. The lack of EPSS data and absence from the CISA KEV catalog indicate that the vulnerability has not yet been widely exploited, but the local nature does not eliminate the risk of data compromise if an insider or malicious user gains device access."}}}}, "created": "2026-04-03T08:57:49.521538+00:00", "updated": "2026-04-03T09:15:42.776743+00:00", "vendors": ["align_technology", "align_technology$PRODUCT$my_invisalign_app"]}