{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32303", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-11T21:16:21.659Z", "datePublished": "2026-03-20T17:57:31.884Z", "dateUpdated": "2026-03-23T21:41:57.420Z"}, "containers": {"cna": {"title": "Cryptomator: Tampered vault configuration allows MITM attack on Hub API", "problemTypes": [{"descriptions": [{"cweId": "CWE-346", "lang": "en", "description": "CWE-346: Origin Validation Error", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-354", "lang": "en", "description": "CWE-354: Improper Validation of Integrity Check Value", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-451", "lang": "en", "description": "CWE-451: User Interface (UI) Misrepresentation of Critical Information", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-923", "lang": "en", "description": "CWE-923: Improper Restriction of Communication Channel to Intended Endpoints", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/cryptomator/cryptomator/security/advisories/GHSA-34rf-rwr3-7g43", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/cryptomator/cryptomator/security/advisories/GHSA-34rf-rwr3-7g43"}, {"name": "https://github.com/cryptomator/cryptomator/pull/4179", "tags": ["x_refsource_MISC"], "url": "https://github.com/cryptomator/cryptomator/pull/4179"}, {"name": "https://github.com/cryptomator/cryptomator/commit/6b82abcd80449a30b561d823193f9ecea542a625", "tags": ["x_refsource_MISC"], "url": "https://github.com/cryptomator/cryptomator/commit/6b82abcd80449a30b561d823193f9ecea542a625"}, {"name": "https://github.com/cryptomator/cryptomator/releases/tag/1.19.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/cryptomator/cryptomator/releases/tag/1.19.1"}], "affected": [{"vendor": "cryptomator", "product": "cryptomator", "versions": [{"version": "< 1.19.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T17:57:31.884Z"}, "descriptions": [{"lang": "en", "value": "Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.1, an integrity check vulnerability allows an attacker to tamper with the vault configuration file leading to a man-in-the-middle vulnerability in Hub key loading mechanism. Before this fix, the client trusted endpoints from the vault config without host authenticity checks, which could allow token exfiltration by mixing a legitimate auth endpoint with a malicious API endpoint. Impacted are users unlocking Hub-backed vaults with affected client versions in environments where an attacker can alter the vault.cryptomator file. This issue has been patched in version 1.19.1."}], "source": {"advisory": "GHSA-34rf-rwr3-7g43", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T20:52:44.437617Z", "id": "CVE-2026-32303", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T21:41:57.420Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32303", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T20:52:44.437617Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T21:32:00.491Z"}}], "cna": {"title": "Cryptomator: Tampered vault configuration allows MITM attack on Hub API", "source": {"advisory": "GHSA-34rf-rwr3-7g43", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "cryptomator", "product": "cryptomator", "versions": [{"status": "affected", "version": "< 1.19.1"}]}], "references": [{"url": "https://github.com/cryptomator/cryptomator/security/advisories/GHSA-34rf-rwr3-7g43", "name": "https://github.com/cryptomator/cryptomator/security/advisories/GHSA-34rf-rwr3-7g43", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/cryptomator/cryptomator/pull/4179", "name": "https://github.com/cryptomator/cryptomator/pull/4179", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/cryptomator/cryptomator/commit/6b82abcd80449a30b561d823193f9ecea542a625", "name": "https://github.com/cryptomator/cryptomator/commit/6b82abcd80449a30b561d823193f9ecea542a625", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/cryptomator/cryptomator/releases/tag/1.19.1", "name": "https://github.com/cryptomator/cryptomator/releases/tag/1.19.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.1, an integrity check vulnerability allows an attacker to tamper with the vault configuration file leading to a man-in-the-middle vulnerability in Hub key loading mechanism. Before this fix, the client trusted endpoints from the vault config without host authenticity checks, which could allow token exfiltration by mixing a legitimate auth endpoint with a malicious API endpoint. Impacted are users unlocking Hub-backed vaults with affected client versions in environments where an attacker can alter the vault.cryptomator file. This issue has been patched in version 1.19.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-346", "description": "CWE-346: Origin Validation Error"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-354", "description": "CWE-354: Improper Validation of Integrity Check Value"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-451", "description": "CWE-451: User Interface (UI) Misrepresentation of Critical Information"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-923", "description": "CWE-923: Improper Restriction of Communication Channel to Intended Endpoints"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T17:57:31.884Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32303", "state": "PUBLISHED", "dateUpdated": "2026-03-23T21:41:57.420Z", "dateReserved": "2026-03-11T21:16:21.659Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T17:57:31.884Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cryptomator:cryptomator:*:*:*:*:*:*:*:*", "matchCriteriaId": "039991F9-B02C-4F96-B022-2ACFD48A068C", "versionEndExcluding": "1.19.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.1, an integrity check vulnerability allows an attacker to tamper with the vault configuration file leading to a man-in-the-middle vulnerability in Hub key loading mechanism. Before this fix, the client trusted endpoints from the vault config without host authenticity checks, which could allow token exfiltration by mixing a legitimate auth endpoint with a malicious API endpoint. Impacted are users unlocking Hub-backed vaults with affected client versions in environments where an attacker can alter the vault.cryptomator file. This issue has been patched in version 1.19.1."}], "id": "CVE-2026-32303", "lastModified": "2026-03-26T13:55:14.187", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-20T18:16:14.593", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/cryptomator/cryptomator/commit/6b82abcd80449a30b561d823193f9ecea542a625"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/cryptomator/cryptomator/pull/4179"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/cryptomator/cryptomator/releases/tag/1.19.1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/cryptomator/cryptomator/security/advisories/GHSA-34rf-rwr3-7g43"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-346"}, {"lang": "en", "value": "CWE-354"}, {"lang": "en", "value": "CWE-451"}, {"lang": "en", "value": "CWE-923"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.19.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "cryptomator", "source": "cna", "vendor": "cryptomator"}, "product": "cryptomator", "vendor": "cryptomator"}], "analysis": {"en": {"generated_at": "2026-03-26T16:07:51.656565+00:00", "value": {"mitigation_remediation": ["Install Cryptomator version 1.19.1 or later to apply the integrity\u2011check fix.", "Verify that the vault.cryptomator file is signed or use file integrity monitoring tools.", "Restrict file permissions so only the owner can modify the vault configuration.", "Audit and monitor for unexpected changes to vault.cryptomator files."], "summary": {"action": "Apply Patch", "impact": "Unauthorized API Access"}, "threat_synthesis": {"affected_systems": "Cryptomator, the open\u2011source client for encrypted cloud storage, is affected. Users who run versions prior to 1.19.1 and unlock Hub\u2011backed vaults in environments where an attacker can alter the vault.cryptomator file are vulnerable. Version 1.19.1 contains a patch that restores integrity verification of the configuration file and the existing hosts list. The vulnerability applies to all releases before that point.", "description_and_impact": "Cryptomator normally encrypts files stored on cloud services and relies on an integrity check of the vault configuration file. An attacker who can modify this file bypasses host authenticity validation during Hub key loading, creating a man\u2011in\u2011the\u2011middle scenario. The vulnerability enables a malicious endpoint to be paired with a legitimate authentication endpoint, allowing the extraction of access tokens used to communicate with the cloud. The flaw is characterized by CWE\u2011346, CWE\u2011354, CWE\u2011451, and CWE\u2011923, and has a CVSS score of 7.6, indicating high severity.", "risk_and_exploitability": "The risk is high due to the potential for token theft, but the EPSS score <1% indicates low likelihood of widespread exploitation at present. The vulnerability is not cataloged in CISA\u2019s KEV list. Exploitation requires the attacker to have the ability to tamper with the configuration file on the client machine or the network path used to retrieve it, making it most likely in scenarios where local credentials are compromised or the user accepts malicious updates. The attack path is relatively straightforward once file tampering is possible, and it can result in unauthorized API calls to the cloud provider on the victim\u2019s behalf."}}}}, "created": "2026-03-23T09:53:06.000114+00:00", "updated": "2026-03-27T09:21:33.249238+00:00", "vendors": ["cryptomator", "cryptomator$PRODUCT$cryptomator"]}