Skip to main content

Windows EUVDEUVD-2026-13750

| CVE-2026-32310 MEDIUM
Path Traversal (CWE-22)
2026-03-20 GitHub_M
4.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.1 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 20, 2026 - 18:30 euvd
EUVD-2026-13750
Analysis Generated
Mar 20, 2026 - 18:30 vuln.today
CVE Published
Mar 20, 2026 - 18:19 nvd
MEDIUM 4.1

DescriptionGitHub Advisory

Cryptomator encrypts data being stored on cloud infrastructure. From version 1.6.0 to before version 1.19.1, vault configuration is parsed before its integrity is verified, and the masterkeyfile loader uses the unverified keyId as a filesystem path. The loader resolves keyId.getSchemeSpecificPart() directly against the vault path and immediately calls Files.exists(...). This allows a malicious vault config to supply parent-directory escapes, absolute local paths, or UNC paths (e.g., masterkeyfile://attacker/share/masterkey.cryptomator). On Windows, the UNC variant is especially dangerous because Path.resolve("//attacker/share/...") becomes \\attacker\share\..., so the existence check can trigger outbound SMB access before the user even enters a passphrase. This issue has been patched in version 1.19.1.

AnalysisAI

Cryptomator versions 1.6.0 through 1.19.0 contain a path traversal vulnerability in vault configuration parsing where the masterkeyfile loader resolves an unverified keyId parameter as a filesystem path before integrity checks are performed. An attacker with the ability to supply a malicious vault configuration can exploit this to trigger arbitrary file existence checks, including UNC paths on Windows that can initiate outbound SMB connections before the user even enters a passphrase, potentially leading to information disclosure about local file structure and network exposure. The vulnerability has been patched in version 1.19.1, and while no active KEV exploitation has been reported, the low attack complexity and the ability to chain this with social engineering (malicious vault sharing) makes it a moderate practical risk.

Technical ContextAI

Cryptomator is a client-side encryption application for securing files on cloud storage platforms. The vulnerability exists in the vault configuration loader component, which is responsible for parsing and validating vault metadata before decryption operations. The root cause is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, aka Path Traversal), where the application resolves user-controlled input (keyId from vault config) directly using Path.resolve() against the vault directory without prior validation or sanitization. The masterkeyfile URI scheme handler extracts keyId.getSchemeSpecificPart() and immediately calls Files.exists() to verify the key file, but this check occurs before the vault configuration integrity is cryptographically verified. On Windows systems specifically, UNC path syntax (//attacker/share/) is converted to SMB network paths (\\attacker\share\), allowing attackers to trigger SMB connection attempts that can be intercepted or logged by network monitoring tools. The affected CPE is cpe:2.3:a:cryptomator:cryptomator:*:*:*:*:*:*:*:*

RemediationAI

Upgrade Cryptomator immediately to version 1.19.1 or later, which includes the fix implemented in commit 1e3dfe3de1623b1b85d24db91e49d31d1ea11f40 (see https://github.com/cryptomator/cryptomator/pull/4180 for the merge details). Users unable to patch immediately should avoid opening vault configuration files from untrusted sources and be cautious when sharing vault files with others, particularly on Windows systems where UNC path exploitation could expose network topology. Network administrators may consider implementing SMB egress filtering on Windows workstations to prevent unexpected outbound SMB connections that could be triggered by malicious vault configurations. Until patching is completed, treat all vault files as potentially malicious and restrict access to trusted, in-house generated vaults only.

CVE-2021-40444 HIGH POC
8.8 Sep 15

Windows MSHTML component contains a remote code execution vulnerability that allows attackers to craft malicious ActiveX

CVE-2021-1732 HIGH POC
7.8 Feb 25

Windows Win32k contains an out-of-bounds write vulnerability enabling local privilege escalation to SYSTEM, exploited by

CVE-2018-8174 HIGH POC
7.5 May 09

The Windows VBScript engine contains a remote code execution vulnerability in object handling that allows full system co

CVE-2019-0803 HIGH POC
7.8 Apr 09

Windows Win32k fails to properly handle objects in memory, allowing local privilege escalation exploited in the wild in

CVE-2020-1472 MEDIUM POC
5.5 Aug 17

A privilege escalation vulnerability (CVSS 5.5). Risk factors: actively exploited (KEV-listed), EPSS 94% exploitation pr

CVE-2024-30088 HIGH POC
7.0 Jun 11

Windows Kernel contains a TOCTOU race condition vulnerability allowing local privilege escalation, exploited by the OilR

CVE-2025-33053 HIGH POC
8.8 Jun 10

Windows Internet Shortcut Files (.url) contain an external control vulnerability (CVE-2025-33053, CVSS 8.8) that enables

CVE-2025-33073 HIGH POC
8.8 Jun 10

Windows SMB contains an improper access control vulnerability (CVE-2025-33073, CVSS 8.8) enabling authenticated attacker

CVE-2025-13315 CRITICAL POC
9.3 Nov 19

Twonky Server 8.5.2 on Linux and Windows allows unauthenticated access to the admin log file through a web service API b

CVE-2013-10047 CRITICAL POC
9.3 Aug 01

An unrestricted file upload vulnerability exists in MiniWeb HTTP Server <= Build 300 that allows unauthenticated remote

CVE-2012-10030 CRITICAL POC
9.3 Aug 05

FreeFloat FTP Server contains multiple critical design flaws that allow unauthenticated remote attackers to upload arbit

CVE-2025-34101 CRITICAL POC
9.3 Jul 10

Serviio Media Server versions 1.4 through 1.8 on Windows contain an unauthenticated command injection in the /rest/actio

Share

EUVD-2026-13750 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy