Integrity Check Vulnerability in Cryptomator Affects Cloud Data Security
CVE-2026-32303

7.6HIGH

Key Information:

Vendor

Cryptomator

Status
Cryptomator
Vendor
CVE Published:
20 March 2026

What is CVE-2026-32303?

An integrity check vulnerability in Cryptomator, prior to version 1.19.1, could allow attackers to tamper with the vault configuration file. This flaw leads to a man-in-the-middle vulnerability in the Hub key loading mechanism. Clients trusted endpoints from the vault config without ensuring host authenticity, potentially exposing users to token exfiltration through a mix of legitimate and malicious API endpoints. Users who unlock Hub-backed vaults with affected client versions in environments where the vault.cryptomator file can be altered are at risk. The issue has been addressed in version 1.19.1.

Affected Version(s)

cryptomator < 1.19.1

References

https://github.com/cryptomator/cryptomator/security/advis...
x_refsource_CONFIRM
https://github.com/cryptomator/cryptomator/pull/4179
x_refsource_MISC
https://github.com/cryptomator/cryptomator/commit/6b82abc...
x_refsource_MISC

CVSS V3.1

Score:
7.6
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.