Insecure Data Transmission in Cryptomator by Liquiproof
CVE-2026-32309

8.7HIGH

Key Information:

Vendor: Cryptomator
Status: Cryptomator
Vendor: CVE Published:; 20 March 2026

🔔 Create Cryptomator Vulnerability Alert

What is CVE-2026-32309?

Cryptomator, a tool designed for encrypting files stored in cloud services, has a vulnerability that arises from its hub-based unlock flow prior to version 1.19.1. This flaw allows data to be transmitted over unencrypted HTTP, exposing sensitive information to active network attackers. Attackers can intercept or manipulate traffic, making it possible for them to compromise bearer tokens and key-loading credentials. Even though the vault key is protected on the device, the lack of enforced HTTPS on endpoints creates significant security risks. The issue has been addressed in the 1.19.1 release, reinforcing the importance of updating to this version to ensure secure data handling.

Affected Version(s)

cryptomator < 1.19.1

References

https://github.com/cryptomator/cryptomator/security/advis...

x_refsource_CONFIRM

https://github.com/cryptomator/cryptomator/releases/tag/1...

x_refsource_MISC

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2026
Vulnerability Reserved
Mar 11, 2026

CVE-2026-32309 Data

JSON