{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5453", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-02T22:10:44.860Z", "datePublished": "2026-04-03T04:30:11.575Z", "dateUpdated": "2026-04-03T11:20:13.272Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-03T04:30:11.575Z"}, "title": "Rico s\u00f3 vantagem pra investir App br.com.rico.mobile SegmentSettingsModule.java hard-coded key", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-321", "lang": "en", "description": "Use of Hard-coded Cryptographic Key"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-320", "lang": "en", "description": "Key Management Error"}]}], "affected": [{"vendor": "Rico", "product": "s\u00f3 vantagem pra investir App", "versions": [{"version": "4.58.32.12421", "status": "affected"}], "modules": ["br.com.rico.mobile"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in Rico s\u00f3 vantagem pra investir App up to 4.58.32.12421 on Android. This issue affects some unknown processing of the file br/com/rico/mobile/di/SegmentSettingsModule.java of the component br.com.rico.mobile. Such manipulation of the argument SEGMENT_WRITE_KEY leads to use of hard-coded cryptographic key\r . The attack can only be performed from a local environment. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-02T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-03T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-03T00:16:18.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "fxizenta (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/355041", "name": "VDB-355041 | Rico s\u00f3 vantagem pra investir App br.com.rico.mobile SegmentSettingsModule.java hard-coded key", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/355041/cti", "name": "VDB-355041 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/781758", "name": "Submit #781758 | RICO.COM.VC Rico(br.com.rico.mobile) 4.58.32.12421 Segment Write Key Exposure", "tags": ["third-party-advisory"]}, {"url": "https://www.notion.so/Segment-Write-Key-Exposure-Leading-to-Data-Injection-and-User-Profile-Manipulation-In-br-com-rico-mo-3262de3f97fb800a9bfef6e6fd7d7179?source=copy_link", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T11:19:58.466725Z", "id": "CVE-2026-5453", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T11:20:13.272Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in Rico s\u00f3 vantagem pra investir App up to 4.58.32.12421 on Android. This issue affects some unknown processing of the file br/com/rico/mobile/di/SegmentSettingsModule.java of the component br.com.rico.mobile. Such manipulation of the argument SEGMENT_WRITE_KEY leads to use of hard-coded cryptographic key\r . The attack can only be performed from a local environment. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-5453", "lastModified": "2026-04-03T05:16:23.710", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 1.7, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.1, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-03T05:16:23.710", "references": [{"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/781758"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355041"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355041/cti"}, {"source": "cna@vuldb.com", "url": "https://www.notion.so/Segment-Write-Key-Exposure-Leading-to-Data-Injection-and-User-Profile-Manipulation-In-br-com-rico-mo-3262de3f97fb800a9bfef6e6fd7d7179?source=copy_link"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-320"}, {"lang": "en", "value": "CWE-321"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "4.58.32.12421"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "s\u00f3 vantagem pra investir App", "source": "cna", "vendor": "Rico"}, "product": "s\u00f3_vantagem_pra_investir_app", "vendor": "rico"}], "analysis": {"en": {"generated_at": "2026-04-03T08:50:52.342592+00:00", "value": {"mitigation_remediation": ["Check if a newer version of the Rico application is available and review the vendor\u2019s release notes for a fix; if an update is available, install it promptly.", "If no update exists, consider disabling or removing the SEGMENT_WRITE_KEY configuration from the device or preventing local modification of that setting through device\u2011level controls.", "Apply device hardening measures to restrict local access, such as enforcing strong authentication for ADB or root tools, and monitor application logs for abnormal cryptographic activity."], "summary": {"action": "Assess Impact", "impact": "Local Key Exposure"}, "threat_synthesis": {"affected_systems": "The issue affects the Rico s\u00f3 vantagem pra investir App for Android versions up to 4.58.32.12421. The sensitive code resides in the br.com.rico.mobile component, specifically within br/com/rico/mobile/di/SegmentSettingsModule.java. Any device that installs a pre\u20114.58.32.12421 build is therefore vulnerable if an attacker can alter the SEGMENT_WRITE_KEY argument locally.", "description_and_impact": "A flaw in the Rico s\u00f3 vantagem pra investir Android application allows an attacker with local access to manipulate the SEGMENT_WRITE_KEY argument in SegmentSettingsModule.java, causing the app to use a hard\u2011coded cryptographic key. This key exposure means a local adversary could potentially decrypt, sign, or otherwise tamper with data that the application assumes is protected by a unique runtime key. The weakness arises from improper key handling and is classified as CWE\u2011320 (Hard\u2011coded Cryptographic Key) and CWE\u2011321 (Reused Hard\u2011coded Cryptographic Key). The vulnerability does not provide a Windows or internet\u2011based exploitation route; it can only be triggered from a device already running the affected app.", "risk_and_exploitability": "The CVSS base score of 4.8 indicates low\u2011to\u2011moderate severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, suggesting that it is not currently being targeted by widespread exploitation campaigns. Because the flaw requires local manipulation of the app configuration, the threat is largely confined to situations where an attacker already has physical or root access to the device. Nonetheless, once the key is exposed, the confidentiality and integrity of any data protected under that key are compromised. Administrators should treat the risk as moderate until a vendor\u2011supplied fix is confirmed. Currently, no public exploit exists beyond the disclosed disclosure."}}}}, "created": "2026-04-03T07:31:01.619916+00:00", "title": "Hard\u2011Coded Cryptographic Key Exposure in Rico Android App", "updated": "2026-04-03T09:15:48.131079+00:00", "vendors": ["rico", "rico$PRODUCT$s\u00f3_vantagem_pra_investir_app"]}