CVE-2026-5462
Wahoo Fitness SYSTM App com.WahooFitness.SYSTM BuildConfig.java hard-coded key
CVSS Score
3.3
EPSS Score
0.0%
EPSS Percentile
1th
A vulnerability was identified in Wahoo Fitness SYSTM App up to 7.2.1 on Android. Impacted is an unknown function of the file com/WahooFitness/SYSTM/BuildConfig.java of the component com.WahooFitness.SYSTM. Such manipulation of the argument SEGMENT_WRITE_KEY leads to use of hard-coded cryptographic key . Local access is required to approach this attack. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
| CWE | CWE-321 CWE-320 |
| Vendor | wahoo fitness |
| Product | systm app |
| Published | Apr 3, 2026 |
| Last Updated | Apr 3, 2026 |
Stay Ahead of the Next One
Get instant alerts for wahoo fitness systm app
Be the first to know when new low vulnerabilities affecting wahoo fitness systm app are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
Wahoo Fitness / SYSTM App
7.2.0 7.2.1
References
vuldb.com: https://vuldb.com/vuln/355053 vuldb.com: https://vuldb.com/vuln/355053/cti vuldb.com: https://vuldb.com/submit/781767 notion.so: https://www.notion.so/Segment-Write-Key-Exposure-Leading-to-Data-Injection-and-User-Profile-Manipulation-In-com-WahooFitne-3262de3f97fb8038808eed63af1a48b8?source=copy_link
Credits
๐ fxizenta (VulDB User) VulDB CNA Team