Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Lifecycle Timeline
6DescriptionGitHub Advisory
Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.1, an integrity check vulnerability allows an attacker to tamper with the vault configuration file leading to a man-in-the-middle vulnerability in Hub key loading mechanism. Before this fix, the client trusted endpoints from the vault config without host authenticity checks, which could allow token exfiltration by mixing a legitimate auth endpoint with a malicious API endpoint. Impacted are users unlocking Hub-backed vaults with affected client versions in environments where an attacker can alter the vault.cryptomator file. This issue has been patched in version 1.19.1.
AnalysisAI
Cryptomator versions prior to 1.19.1 contain an integrity check vulnerability that allows attackers to tamper with the vault.cryptomator configuration file, enabling man-in-the-middle attacks during Hub key loading. Attackers can mix legitimate authentication endpoints with malicious API endpoints to exfiltrate access tokens from users unlocking Hub-backed vaults in environments where vault configuration files can be modified. The CVSS score of 7.6 indicates high severity with network attack vector requiring low privileges and user interaction, though no active exploitation (KEV) or public POC has been reported at this time.
Technical ContextAI
This vulnerability affects Cryptomator (cpe:2.3:a:cryptomator:cryptomator:*:*:*:*:*:*:*:*), a client-side encryption application for cloud storage that uses a Hub authentication mechanism for vault access. The root cause is CWE-346 (Origin Validation Error), where the application fails to perform proper host authenticity checks when processing endpoints specified in the vault.cryptomator configuration file. The client trusts configuration data without integrity validation, allowing an attacker who can modify this file to redirect API calls to attacker-controlled endpoints while maintaining legitimate authentication endpoints, creating a split-endpoint man-in-the-middle scenario that bypasses expected security boundaries.
RemediationAI
Upgrade Cryptomator to version 1.19.1 or later, as documented in the release notes at https://github.com/cryptomator/cryptomator/releases/tag/1.19.1 and patched via commit 6b82abcd80449a30b561d823193f9ecea542a625 available at https://github.com/cryptomator/cryptomator/commit/6b82abcd80449a30b561d823193f9ecea542a625. Until patching is possible, users should ensure vault.cryptomator configuration files are stored in locations with strict access controls and monitor for unauthorized modifications, verify the integrity of vault configuration files before unlocking Hub-backed vaults, and consider temporarily switching to password-based vault unlocking instead of Hub authentication in untrusted environments. Review the complete security advisory at https://github.com/cryptomator/cryptomator/security/advisories/GHSA-34rf-rwr3-7g43 for additional context and detection guidance.
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Va
An XML external entity (XXE) vulnerability in the Password Vault Web Access (PVWA) of CyberArk Enterprise Password Vault
PhotoRange Photo Vault 1.2 appends the password to the URI for authorization, which makes it easier for remote attackers
The REST API in CyberArk Password Vault Web Access before 9.9.5 and 10.x before 10.1 allows remote attackers to execute
Account takeover in self-hosted Bitwarden Server before 2026.6.0 lets a low-privileged organization member steal any oth
vault-cli is a configurable command-line interface tool (and python library) to interact with Hashicorp Vault. Rated cri
The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 is missing validation for a client-provided parameter, w
The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 generates insufficiently random numbers, which allows re
HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) before 4.0.24 uses weak permissions for the sudo help
Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Rated high sev
Coder allows organizations to provision remote development environments via Terraform. Rated high severity (CVSS 8.1), t
Same weakness CWE-346 – Origin Validation Error
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13746