{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32318", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-11T21:16:21.660Z", "datePublished": "2026-03-20T18:27:22.410Z", "dateUpdated": "2026-03-20T19:20:49.867Z"}, "containers": {"cna": {"title": "Cryptomator for IOS: Tampered vault configuration allows MITM attack on Hub API", "problemTypes": [{"descriptions": [{"cweId": "CWE-346", "lang": "en", "description": "CWE-346: Origin Validation Error", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-354", "lang": "en", "description": "CWE-354: Improper Validation of Integrity Check Value", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-451", "lang": "en", "description": "CWE-451: User Interface (UI) Misrepresentation of Critical Information", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-923", "lang": "en", "description": "CWE-923: Improper Restriction of Communication Channel to Intended Endpoints", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/cryptomator/ios/security/advisories/GHSA-g7fr-c82r-hm6j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/cryptomator/ios/security/advisories/GHSA-g7fr-c82r-hm6j"}, {"name": "https://github.com/cryptomator/ios/pull/444", "tags": ["x_refsource_MISC"], "url": "https://github.com/cryptomator/ios/pull/444"}, {"name": "https://github.com/cryptomator/ios/commit/98c31280304af65c0932eb547d5fe4be2d16929c", "tags": ["x_refsource_MISC"], "url": "https://github.com/cryptomator/ios/commit/98c31280304af65c0932eb547d5fe4be2d16929c"}, {"name": "https://github.com/cryptomator/ios/releases/tag/2.8.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/cryptomator/ios/releases/tag/2.8.3"}], "affected": [{"vendor": "cryptomator", "product": "ios", "versions": [{"version": "< 2.8.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T18:27:22.410Z"}, "descriptions": [{"lang": "en", "value": "Cryptomator for IOS offers multi-platform transparent client-side encryption for files in the cloud. Prior to version 2.8.3, an integrity check vulnerability allows an attacker tamper with the vault configuration file leading to a man-in-the-middle vulnerability in Hub key loading mechanism. Before this fix, the client trusted endpoints from the vault config without host authenticity checks, which could allow token exfiltration by mixing a legitimate auth endpoint with a malicious API endpoint. Impacted are users unlocking Hub-backed vaults with affected client versions in environments where an attacker can alter the vault.cryptomator file. This issue has been patched in version 2.8.3."}], "source": {"advisory": "GHSA-g7fr-c82r-hm6j", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T19:20:21.249870Z", "id": "CVE-2026-32318", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T19:20:49.867Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32318", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T19:20:21.249870Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T19:20:29.845Z"}}], "cna": {"title": "Cryptomator for IOS: Tampered vault configuration allows MITM attack on Hub API", "source": {"advisory": "GHSA-g7fr-c82r-hm6j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "cryptomator", "product": "ios", "versions": [{"status": "affected", "version": "< 2.8.3"}]}], "references": [{"url": "https://github.com/cryptomator/ios/security/advisories/GHSA-g7fr-c82r-hm6j", "name": "https://github.com/cryptomator/ios/security/advisories/GHSA-g7fr-c82r-hm6j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/cryptomator/ios/pull/444", "name": "https://github.com/cryptomator/ios/pull/444", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/cryptomator/ios/commit/98c31280304af65c0932eb547d5fe4be2d16929c", "name": "https://github.com/cryptomator/ios/commit/98c31280304af65c0932eb547d5fe4be2d16929c", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/cryptomator/ios/releases/tag/2.8.3", "name": "https://github.com/cryptomator/ios/releases/tag/2.8.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Cryptomator for IOS offers multi-platform transparent client-side encryption for files in the cloud. Prior to version 2.8.3, an integrity check vulnerability allows an attacker tamper with the vault configuration file leading to a man-in-the-middle vulnerability in Hub key loading mechanism. Before this fix, the client trusted endpoints from the vault config without host authenticity checks, which could allow token exfiltration by mixing a legitimate auth endpoint with a malicious API endpoint. Impacted are users unlocking Hub-backed vaults with affected client versions in environments where an attacker can alter the vault.cryptomator file. This issue has been patched in version 2.8.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-346", "description": "CWE-346: Origin Validation Error"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-354", "description": "CWE-354: Improper Validation of Integrity Check Value"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-451", "description": "CWE-451: User Interface (UI) Misrepresentation of Critical Information"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-923", "description": "CWE-923: Improper Restriction of Communication Channel to Intended Endpoints"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T18:27:22.410Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32318", "state": "PUBLISHED", "dateUpdated": "2026-03-20T19:20:49.867Z", "dateReserved": "2026-03-11T21:16:21.660Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T18:27:22.410Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cryptomator:cryptomator:*:*:*:*:*:*:*:*", "matchCriteriaId": "6E533214-6DC0-4F2C-A76C-D3A7CB0322FF", "versionEndIncluding": "2.8.2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "matchCriteriaId": "340C4071-1447-477F-942A-8E09EA29F917", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cryptomator for IOS offers multi-platform transparent client-side encryption for files in the cloud. Prior to version 2.8.3, an integrity check vulnerability allows an attacker tamper with the vault configuration file leading to a man-in-the-middle vulnerability in Hub key loading mechanism. Before this fix, the client trusted endpoints from the vault config without host authenticity checks, which could allow token exfiltration by mixing a legitimate auth endpoint with a malicious API endpoint. Impacted are users unlocking Hub-backed vaults with affected client versions in environments where an attacker can alter the vault.cryptomator file. This issue has been patched in version 2.8.3."}], "id": "CVE-2026-32318", "lastModified": "2026-03-26T13:48:30.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-20T19:16:16.277", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/cryptomator/ios/commit/98c31280304af65c0932eb547d5fe4be2d16929c"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/cryptomator/ios/pull/444"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/cryptomator/ios/releases/tag/2.8.3"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/cryptomator/ios/security/advisories/GHSA-g7fr-c82r-hm6j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-346"}, {"lang": "en", "value": "CWE-354"}, {"lang": "en", "value": "CWE-451"}, {"lang": "en", "value": "CWE-923"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.8.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "ios", "source": "cna", "vendor": "cryptomator"}, "product": "ios", "vendor": "cryptomator"}], "analysis": {"en": {"generated_at": "2026-03-26T16:07:40.073376+00:00", "value": {"mitigation_remediation": ["Upgrade Cryptomator iOS to version 2.8.3 or later."], "summary": {"action": "Patch", "impact": "Man\u2011in\u2011the\u2011Middle via tampered vault configuration"}, "threat_synthesis": {"affected_systems": "Cryptomator iOS clients before version 2.8.3. Users who unlock Hub\u2011backed vaults on iOS devices with these versions in environments where an attacker can alter the vault.cryptomator file. The vulnerability applies to all iPhone OS versions that run the affected app.", "description_and_impact": "A flaw in Cryptomator for iOS allows an attacker to modify the vault configuration file because the integrity check is missing. The tampered file points the client to a malicious Hub API endpoint without validating the host, enabling a man\u2011in\u2011the\u2011middle attack that can steal authentication tokens. This leads to unauthorized access to vault contents and possible credential theft.", "risk_and_exploitability": "The CVSS score is 7.6, indicating a high severity. EPSS is below 1%, suggesting a low current probability of exploitation. The issue is not listed in CISA\u2019s KEV catalog. Exploitation requires the attacker to be able to modify the vault configuration file, which could occur through local device compromise, a malicious installer, or remote file manipulation if the vault is stored on shared media. Once the file is altered, the iOS client trusts the rogue endpoint and can expose tokens, effectively performing a MITM. The likely attack vector is tampering with the vault file prior to use; no additional network privilege is required."}}}}, "created": "2026-03-23T09:53:02.391191+00:00", "updated": "2026-03-27T09:21:32.022956+00:00", "vendors": ["cryptomator", "cryptomator$PRODUCT$ios"]}