Vulnerability-Lookup

CVE-2026-22694 (GCVE-0-2026-22694)

Vulnerability from cvelistv5 – Published: 2026-01-14 16:32 – Updated: 2026-01-14 16:59

Title

AliasVault is Missing Origin Validation in Android Passkey Credential Provider

Summary

AliasVault is a privacy-first password manager with built-in email aliasing. AliasVault Android versions 0.24.0 through 0.25.2 contained an issue in how passkey requests from Android apps were validated. Under certain local conditions, a malicious app could attempt to obtain a passkey response for a site it was not authorized to access. The issue involved incomplete validation of calling app identity, origin, and RP ID in the Android credential provider. This issue was fixed in AliasVault Android 0.25.3.

Severity ?

6.1 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

CWE

CWE-346 - Origin Validation Error

Assigner

GitHub_M

References

URL

Tags

	https://github.com/aliasvault/aliasvault/security…	x_refsource_CONFIRM
	https://github.com/aliasvault/aliasvault/issues/1440	x_refsource_MISC
	https://github.com/aliasvault/aliasvault/pull/1441	x_refsource_MISC
	https://github.com/aliasvault/aliasvault/commit/b…	x_refsource_MISC
	https://github.com/aliasvault/aliasvault/releases…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	aliasvault	aliasvault	Affected: >= 0.24.0, < 0.25.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-22694",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-14T16:59:17.521627Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-14T16:59:24.012Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "aliasvault",
          "vendor": "aliasvault",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.24.0, \u003c 0.25.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "AliasVault is a privacy-first password manager with built-in email aliasing. AliasVault Android versions 0.24.0 through 0.25.2 contained an issue in how passkey requests from Android apps were validated. Under certain local conditions, a malicious app could attempt to obtain a passkey response for a site it was not authorized to access. The issue involved incomplete validation of calling app identity, origin, and RP ID in the Android credential provider. This issue was fixed in AliasVault Android 0.25.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-346",
              "description": "CWE-346: Origin Validation Error",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-14T16:32:36.007Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/aliasvault/aliasvault/security/advisories/GHSA-mvg4-wvjv-332q",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/aliasvault/aliasvault/security/advisories/GHSA-mvg4-wvjv-332q"
        },
        {
          "name": "https://github.com/aliasvault/aliasvault/issues/1440",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/aliasvault/aliasvault/issues/1440"
        },
        {
          "name": "https://github.com/aliasvault/aliasvault/pull/1441",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/aliasvault/aliasvault/pull/1441"
        },
        {
          "name": "https://github.com/aliasvault/aliasvault/commit/b3350473103d6138ab2b63ca130c211717eac67d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/aliasvault/aliasvault/commit/b3350473103d6138ab2b63ca130c211717eac67d"
        },
        {
          "name": "https://github.com/aliasvault/aliasvault/releases/tag/0.25.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/aliasvault/aliasvault/releases/tag/0.25.3"
        }
      ],
      "source": {
        "advisory": "GHSA-mvg4-wvjv-332q",
        "discovery": "UNKNOWN"
      },
      "title": "AliasVault is Missing Origin Validation in Android Passkey Credential Provider"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-22694",
    "datePublished": "2026-01-14T16:32:36.007Z",
    "dateReserved": "2026-01-08T19:23:09.855Z",
    "dateUpdated": "2026-01-14T16:59:24.012Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-22694\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-01-14T17:16:08.810\",\"lastModified\":\"2026-01-14T17:16:08.810\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"AliasVault is a privacy-first password manager with built-in email aliasing. AliasVault Android versions 0.24.0 through 0.25.2 contained an issue in how passkey requests from Android apps were validated. Under certain local conditions, a malicious app could attempt to obtain a passkey response for a site it was not authorized to access. The issue involved incomplete validation of calling app identity, origin, and RP ID in the Android credential provider. This issue was fixed in AliasVault Android 0.25.3.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":4.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-346\"}]}],\"references\":[{\"url\":\"https://github.com/aliasvault/aliasvault/commit/b3350473103d6138ab2b63ca130c211717eac67d\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/aliasvault/aliasvault/issues/1440\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/aliasvault/aliasvault/pull/1441\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/aliasvault/aliasvault/releases/tag/0.25.3\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/aliasvault/aliasvault/security/advisories/GHSA-mvg4-wvjv-332q\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-22694\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-14T16:59:17.521627Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-14T16:59:21.378Z\"}}], \"cna\": {\"title\": \"AliasVault is Missing Origin Validation in Android Passkey Credential Provider\", \"source\": {\"advisory\": \"GHSA-mvg4-wvjv-332q\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.1, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"aliasvault\", \"product\": \"aliasvault\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 0.24.0, \u003c 0.25.3\"}]}], \"references\": [{\"url\": \"https://github.com/aliasvault/aliasvault/security/advisories/GHSA-mvg4-wvjv-332q\", \"name\": \"https://github.com/aliasvault/aliasvault/security/advisories/GHSA-mvg4-wvjv-332q\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/aliasvault/aliasvault/issues/1440\", \"name\": \"https://github.com/aliasvault/aliasvault/issues/1440\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/aliasvault/aliasvault/pull/1441\", \"name\": \"https://github.com/aliasvault/aliasvault/pull/1441\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/aliasvault/aliasvault/commit/b3350473103d6138ab2b63ca130c211717eac67d\", \"name\": \"https://github.com/aliasvault/aliasvault/commit/b3350473103d6138ab2b63ca130c211717eac67d\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/aliasvault/aliasvault/releases/tag/0.25.3\", \"name\": \"https://github.com/aliasvault/aliasvault/releases/tag/0.25.3\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"AliasVault is a privacy-first password manager with built-in email aliasing. AliasVault Android versions 0.24.0 through 0.25.2 contained an issue in how passkey requests from Android apps were validated. Under certain local conditions, a malicious app could attempt to obtain a passkey response for a site it was not authorized to access. The issue involved incomplete validation of calling app identity, origin, and RP ID in the Android credential provider. This issue was fixed in AliasVault Android 0.25.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-346\", \"description\": \"CWE-346: Origin Validation Error\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-01-14T16:32:36.007Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-22694\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-14T16:59:24.012Z\", \"dateReserved\": \"2026-01-08T19:23:09.855Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-01-14T16:32:36.007Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-22694

Vulnerability from fkie_nvd - Published: 2026-01-14 17:16 - Updated: 2026-01-14 17:16

Severity ?

6.1 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N