CVE-2026-32303 (GCVE-0-2026-32303)

Vulnerability from cvelistv5 – Published: 2026-03-20 17:57 – Updated: 2026-03-20 17:57
VLAI?
Title
Cryptomator: Tampered vault configuration allows MITM attack on Hub API
Summary
Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.1, an integrity check vulnerability allows an attacker to tamper with the vault configuration file leading to a man-in-the-middle vulnerability in Hub key loading mechanism. Before this fix, the client trusted endpoints from the vault config without host authenticity checks, which could allow token exfiltration by mixing a legitimate auth endpoint with a malicious API endpoint. Impacted are users unlocking Hub-backed vaults with affected client versions in environments where an attacker can alter the vault.cryptomator file. This issue has been patched in version 1.19.1.
Severity ?
7.6 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
CWE
  • CWE-346 - Origin Validation Error
  • CWE-354 - Improper Validation of Integrity Check Value
  • CWE-451 - User Interface (UI) Misrepresentation of Critical Information
  • CWE-923 - Improper Restriction of Communication Channel to Intended Endpoints
Assigner
References
Impacted products
Vendor Product Version
cryptomator cryptomator Affected: < 1.19.1
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "cryptomator",
          "vendor": "cryptomator",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.19.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.1, an integrity check vulnerability allows an attacker to tamper with the vault configuration file leading to a man-in-the-middle vulnerability in Hub key loading mechanism. Before this fix, the client trusted endpoints from the vault config without host authenticity checks, which could allow token exfiltration by mixing a legitimate auth endpoint with a malicious API endpoint. Impacted are users unlocking Hub-backed vaults with affected client versions in environments where an attacker can alter the vault.cryptomator file. This issue has been patched in version 1.19.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-346",
              "description": "CWE-346: Origin Validation Error",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-354",
              "description": "CWE-354: Improper Validation of Integrity Check Value",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-451",
              "description": "CWE-451: User Interface (UI) Misrepresentation of Critical Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-923",
              "description": "CWE-923: Improper Restriction of Communication Channel to Intended Endpoints",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-20T17:57:31.884Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/cryptomator/cryptomator/security/advisories/GHSA-34rf-rwr3-7g43",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/cryptomator/cryptomator/security/advisories/GHSA-34rf-rwr3-7g43"
        },
        {
          "name": "https://github.com/cryptomator/cryptomator/pull/4179",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/cryptomator/cryptomator/pull/4179"
        },
        {
          "name": "https://github.com/cryptomator/cryptomator/commit/6b82abcd80449a30b561d823193f9ecea542a625",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/cryptomator/cryptomator/commit/6b82abcd80449a30b561d823193f9ecea542a625"
        },
        {
          "name": "https://github.com/cryptomator/cryptomator/releases/tag/1.19.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/cryptomator/cryptomator/releases/tag/1.19.1"
        }
      ],
      "source": {
        "advisory": "GHSA-34rf-rwr3-7g43",
        "discovery": "UNKNOWN"
      },
      "title": "Cryptomator: Tampered vault configuration allows MITM attack on Hub API"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-32303",
    "datePublished": "2026-03-20T17:57:31.884Z",
    "dateReserved": "2026-03-11T21:16:21.659Z",
    "dateUpdated": "2026-03-20T17:57:31.884Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-32303\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-20T18:16:14.593\",\"lastModified\":\"2026-03-20T18:16:14.593\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.1, an integrity check vulnerability allows an attacker to tamper with the vault configuration file leading to a man-in-the-middle vulnerability in Hub key loading mechanism. Before this fix, the client trusted endpoints from the vault config without host authenticity checks, which could allow token exfiltration by mixing a legitimate auth endpoint with a malicious API endpoint. Impacted are users unlocking Hub-backed vaults with affected client versions in environments where an attacker can alter the vault.cryptomator file. This issue has been patched in version 1.19.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N\",\"baseScore\":7.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":4.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-346\"},{\"lang\":\"en\",\"value\":\"CWE-354\"},{\"lang\":\"en\",\"value\":\"CWE-451\"},{\"lang\":\"en\",\"value\":\"CWE-923\"}]}],\"references\":[{\"url\":\"https://github.com/cryptomator/cryptomator/commit/6b82abcd80449a30b561d823193f9ecea542a625\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/cryptomator/cryptomator/pull/4179\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/cryptomator/cryptomator/releases/tag/1.19.1\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/cryptomator/cryptomator/security/advisories/GHSA-34rf-rwr3-7g43\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.