Logic Flaw in Cryptomator's Security Handling for Cloud Storage
CVE-2026-33472

4.8MEDIUM

Key Information:

Vendor

Cryptomator

Status
Cryptomator
Vendor
CVE Published:
16 April 2026

What is CVE-2026-33472?

Cryptomator, an open-source client-side encryption tool for cloud storage, has a logic flaw in the CheckHostTrustController.getAuthority() method. This flaw is present in version 1.19.1, allowing attackers to bypass important security measures established in a related vulnerability. The method's hardcoded URI scheme based on port number can lead to discrepancies in security checks, potentially issuing auto-trust for unreliable configurations. Specifically, an attacker with write access to a Vault file can manipulate the Hub configuration to use HTTPS with port 80, thereby passing auto-trust validation. This situation creates a window for network-based attackers to intercept OAuth token exchanges and gain unauthorized access to the Cryptomator Hub API. This issue has been rectified in version 1.19.2.

Affected Version(s)

cryptomator >= 1.19.1, < 1.19.2

References

https://github.com/cryptomator/cryptomator/security/advis...
x_refsource_CONFIRM
https://github.com/cryptomator/cryptomator/pull/4179
x_refsource_MISC
https://github.com/cryptomator/cryptomator/releases/tag/1...
x_refsource_MISC

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.