Skip to main content

Hashicorp EUVDEUVD-2026-13746

| CVE-2026-32303 HIGH
Origin Validation Error (CWE-346)
2026-03-20 GitHub_M
7.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.6 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:19 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.19.1
EUVD ID Assigned
Mar 20, 2026 - 18:15 euvd
EUVD-2026-13746
Analysis Generated
Mar 20, 2026 - 18:15 vuln.today
CVE Published
Mar 20, 2026 - 17:57 nvd
HIGH 7.6

DescriptionGitHub Advisory

Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.1, an integrity check vulnerability allows an attacker to tamper with the vault configuration file leading to a man-in-the-middle vulnerability in Hub key loading mechanism. Before this fix, the client trusted endpoints from the vault config without host authenticity checks, which could allow token exfiltration by mixing a legitimate auth endpoint with a malicious API endpoint. Impacted are users unlocking Hub-backed vaults with affected client versions in environments where an attacker can alter the vault.cryptomator file. This issue has been patched in version 1.19.1.

AnalysisAI

Cryptomator versions prior to 1.19.1 contain an integrity check vulnerability that allows attackers to tamper with the vault.cryptomator configuration file, enabling man-in-the-middle attacks during Hub key loading. Attackers can mix legitimate authentication endpoints with malicious API endpoints to exfiltrate access tokens from users unlocking Hub-backed vaults in environments where vault configuration files can be modified. The CVSS score of 7.6 indicates high severity with network attack vector requiring low privileges and user interaction, though no active exploitation (KEV) or public POC has been reported at this time.

Technical ContextAI

This vulnerability affects Cryptomator (cpe:2.3:a:cryptomator:cryptomator:*:*:*:*:*:*:*:*), a client-side encryption application for cloud storage that uses a Hub authentication mechanism for vault access. The root cause is CWE-346 (Origin Validation Error), where the application fails to perform proper host authenticity checks when processing endpoints specified in the vault.cryptomator configuration file. The client trusts configuration data without integrity validation, allowing an attacker who can modify this file to redirect API calls to attacker-controlled endpoints while maintaining legitimate authentication endpoints, creating a split-endpoint man-in-the-middle scenario that bypasses expected security boundaries.

RemediationAI

Upgrade Cryptomator to version 1.19.1 or later, as documented in the release notes at https://github.com/cryptomator/cryptomator/releases/tag/1.19.1 and patched via commit 6b82abcd80449a30b561d823193f9ecea542a625 available at https://github.com/cryptomator/cryptomator/commit/6b82abcd80449a30b561d823193f9ecea542a625. Until patching is possible, users should ensure vault.cryptomator configuration files are stored in locations with strict access controls and monitor for unauthorized modifications, verify the integrity of vault configuration files before unlocking Hub-backed vaults, and consider temporarily switching to password-based vault unlocking instead of Hub authentication in untrusted environments. Review the complete security advisory at https://github.com/cryptomator/cryptomator/security/advisories/GHSA-34rf-rwr3-7g43 for additional context and detection guidance.

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2021-30476 CRITICAL POC
9.8 Apr 22

HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Va

CVE-2019-7442 CRITICAL POC
9.8 May 08

An XML external entity (XXE) vulnerability in the Password Vault Web Access (PVWA) of CyberArk Enterprise Password Vault

CVE-2018-20371 CRITICAL POC
9.8 Dec 23

PhotoRange Photo Vault 1.2 appends the password to the URI for authorization, which makes it easier for remote attackers

CVE-2018-9843 CRITICAL POC
9.8 Apr 12

The REST API in CyberArk Password Vault Web Access before 9.9.5 and 10.x before 10.1 allows remote attackers to execute

CVE-2026-60104 CRITICAL POC
9.3 Jul 08

Account takeover in self-hosted Bitwarden Server before 2026.6.0 lets a low-privileged organization member steal any oth

CVE-2021-43837 CRITICAL POC
9.1 Dec 16

vault-cli is a configurable command-line interface tool (and python library) to interact with Hashicorp Vault. Rated cri

CVE-2020-16272 CRITICAL POC
9.1 Aug 03

The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 is missing validation for a client-provided parameter, w

CVE-2020-16271 CRITICAL POC
9.1 Aug 03

The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 generates insufficiently random numbers, which allows re

CVE-2017-11741 HIGH POC
8.8 Aug 08

HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) before 4.0.24 uses weak permissions for the sudo help

CVE-2024-52009 HIGH POC
8.5 Nov 08

Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Rated high sev

CVE-2025-58437 HIGH POC
8.1 Sep 06

Coder allows organizations to provision remote development environments via Terraform. Rated high severity (CVSS 8.1), t

Share

EUVD-2026-13746 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy