Insecure Storage Vulnerability in AliasVault App for Android/iOS
CVE-2026-2974
Key Information:
- Vendor
AliasVault
- Status
- Vendor
- CVE Published:
- 23 February 2026
Badges
What is CVE-2026-2974?
A vulnerability has been identified in the AliasVault App versions up to 0.25.3 for Android and iOS, originating from inadequate handling of sensitive information in the backup process. Specifically, this flaw involves the manipulation of the accessToken, refreshToken, metadata, and key derivation parameters stored in the aliasvault.xml file of the Backup Handler component, potentially exposing backup files to unauthorized access. While the complexity of executing an attack locally is high and the exploit requires specific conditions, it is essential to note that the tokens revealed do not directly compromise the vault, but they should not be included in backups. Users are advised to upgrade to version 0.26.0, which addresses this vulnerability and enhances overall security.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
AliasVault App 0.25.0
AliasVault App 0.25.1
AliasVault App 0.25.2
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved