Which versions of Hashicorp are affected by CVE-2026-32309?

Cryptomator versions prior to 1.19.1 contain a protocol downgrade vulnerability that forces encrypted file access credentials to transmit over unencrypted HTTP connections, enabling network attackers…. A patch is available.

How to fix or mitigate CVE-2026-32309?

Within 24 hours: Identify all Cryptomator deployments in your environment and document current versions via asset inventory. Within 7 days: Upgrade all instances of Cryptomator to version 1.19.1 or later; coordinate with end users for client-side updates. Within 30 days: Conduct network monitoring for plaintext OAuth token or encryption key traffic on affected systems during the update window; document completion and validate HTTPS enforcement in updated instances.

Hashicorp CVE-2026-32309

Q: What is the CVSS score of CVE-2026-32309?

CVE-2026-32309 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-13748 HIGH

Cleartext Transmission of Sensitive Information (CWE-319)

2026-03-20 GitHub_M

Information Disclosure Hashicorp

8.7

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:19 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

1.19.1

EUVD ID Assigned

Mar 20, 2026 - 18:30 euvd

EUVD-2026-13748

Analysis Generated

Mar 20, 2026 - 18:30 vuln.today

CVE Published

Mar 20, 2026 - 18:19 nvd

HIGH 8.7

DescriptionNVD

Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.1, the Hub-based unlock flow explicitly supports hub+http and consumes Hub endpoints from vault metadata without enforcing HTTPS. As a result, a vault configuration can drive OAuth and key-loading traffic over plaintext HTTP or other insecure endpoint combinations. An active network attacker can tamper with or observe this traffic. Even when the vault key is encrypted for the device, bearer tokens and endpoint-level trust decisions are still exposed to downgrade and interception. This issue has been patched in version 1.19.1.

AnalysisAI

Cryptomator's Hub-based unlock flow contains a protocol downgrade vulnerability that allows the application to communicate with Hub endpoints over plaintext HTTP instead of enforcing HTTPS. Cryptomator versions prior to 1.19.1 are affected, exposing OAuth bearer tokens, key-loading traffic, and endpoint-level trust decisions to network interception and tampering by active attackers. …

RemediationAI

Within 24 hours: Identify all Cryptomator deployments in your environment and document current versions via asset inventory. Within 7 days: Upgrade all instances of Cryptomator to version 1.19.1 or later; coordinate with end users for client-side updates. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory