Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-32303

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-20 Mar, 2026 | 17:57
Updated At-23 Mar, 2026 | 21:41
Rejected At-
Credits

Cryptomator: Tampered vault configuration allows MITM attack on Hub API

Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.1, an integrity check vulnerability allows an attacker to tamper with the vault configuration file leading to a man-in-the-middle vulnerability in Hub key loading mechanism. Before this fix, the client trusted endpoints from the vault config without host authenticity checks, which could allow token exfiltration by mixing a legitimate auth endpoint with a malicious API endpoint. Impacted are users unlocking Hub-backed vaults with affected client versions in environments where an attacker can alter the vault.cryptomator file. This issue has been patched in version 1.19.1.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:20 Mar, 2026 | 17:57
Updated At:23 Mar, 2026 | 21:41
Rejected At:
▼CVE Numbering Authority (CNA)
Cryptomator: Tampered vault configuration allows MITM attack on Hub API

Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.1, an integrity check vulnerability allows an attacker to tamper with the vault configuration file leading to a man-in-the-middle vulnerability in Hub key loading mechanism. Before this fix, the client trusted endpoints from the vault config without host authenticity checks, which could allow token exfiltration by mixing a legitimate auth endpoint with a malicious API endpoint. Impacted are users unlocking Hub-backed vaults with affected client versions in environments where an attacker can alter the vault.cryptomator file. This issue has been patched in version 1.19.1.

Affected Products
Vendor
cryptomator
Product
cryptomator
Versions
Affected
  • < 1.19.1
Problem Types
TypeCWE IDDescription
CWECWE-346CWE-346: Origin Validation Error
CWECWE-354CWE-354: Improper Validation of Integrity Check Value
CWECWE-451CWE-451: User Interface (UI) Misrepresentation of Critical Information
CWECWE-923CWE-923: Improper Restriction of Communication Channel to Intended Endpoints
Type: CWE
CWE ID: CWE-346
Description: CWE-346: Origin Validation Error
Type: CWE
CWE ID: CWE-354
Description: CWE-354: Improper Validation of Integrity Check Value
Type: CWE
CWE ID: CWE-451
Description: CWE-451: User Interface (UI) Misrepresentation of Critical Information
Type: CWE
CWE ID: CWE-923
Description: CWE-923: Improper Restriction of Communication Channel to Intended Endpoints
Metrics
VersionBase scoreBase severityVector
3.17.6HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Version: 3.1
Base score: 7.6
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/cryptomator/cryptomator/security/advisories/GHSA-34rf-rwr3-7g43
x_refsource_CONFIRM
https://github.com/cryptomator/cryptomator/pull/4179
x_refsource_MISC
https://github.com/cryptomator/cryptomator/commit/6b82abcd80449a30b561d823193f9ecea542a625
x_refsource_MISC
https://github.com/cryptomator/cryptomator/releases/tag/1.19.1
x_refsource_MISC
Hyperlink: https://github.com/cryptomator/cryptomator/security/advisories/GHSA-34rf-rwr3-7g43
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/cryptomator/cryptomator/pull/4179
Resource:
x_refsource_MISC
Hyperlink: https://github.com/cryptomator/cryptomator/commit/6b82abcd80449a30b561d823193f9ecea542a625
Resource:
x_refsource_MISC
Hyperlink: https://github.com/cryptomator/cryptomator/releases/tag/1.19.1
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:20 Mar, 2026 | 18:16
Updated At:26 Mar, 2026 | 13:55

Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.1, an integrity check vulnerability allows an attacker to tamper with the vault configuration file leading to a man-in-the-middle vulnerability in Hub key loading mechanism. Before this fix, the client trusted endpoints from the vault config without host authenticity checks, which could allow token exfiltration by mixing a legitimate auth endpoint with a malicious API endpoint. Impacted are users unlocking Hub-backed vaults with affected client versions in environments where an attacker can alter the vault.cryptomator file. This issue has been patched in version 1.19.1.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.6HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Primary3.15.9MEDIUM
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 7.6
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Type: Primary
Version: 3.1
Base score: 5.9
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
CPE Matches
cryptomator
cryptomator
>>cryptomator>>Versions before 1.19.1(exclusive)
cpe:2.3:a:cryptomator:cryptomator:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-346Primarysecurity-advisories@github.com
CWE-354Primarysecurity-advisories@github.com
CWE-451Primarysecurity-advisories@github.com
CWE-923Primarysecurity-advisories@github.com
CWE ID: CWE-346
Type: Primary
Source: security-advisories@github.com
CWE ID: CWE-354
Type: Primary
Source: security-advisories@github.com
CWE ID: CWE-451
Type: Primary
Source: security-advisories@github.com
CWE ID: CWE-923
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/cryptomator/cryptomator/commit/6b82abcd80449a30b561d823193f9ecea542a625security-advisories@github.com
Patch
https://github.com/cryptomator/cryptomator/pull/4179security-advisories@github.com
Issue Tracking
https://github.com/cryptomator/cryptomator/releases/tag/1.19.1security-advisories@github.com
Release Notes
https://github.com/cryptomator/cryptomator/security/advisories/GHSA-34rf-rwr3-7g43security-advisories@github.com
Vendor Advisory
Hyperlink: https://github.com/cryptomator/cryptomator/commit/6b82abcd80449a30b561d823193f9ecea542a625
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/cryptomator/cryptomator/pull/4179
Source: security-advisories@github.com
Resource:
Issue Tracking
Hyperlink: https://github.com/cryptomator/cryptomator/releases/tag/1.19.1
Source: security-advisories@github.com
Resource:
Release Notes
Hyperlink: https://github.com/cryptomator/cryptomator/security/advisories/GHSA-34rf-rwr3-7g43
Source: security-advisories@github.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

3Records found
CVE-2026-32318
Matching Score-10
Assigner-GitHub, Inc.
ShareView Details
Matching Score-10
Assigner-GitHub, Inc.
CVSS Score-7.6||HIGH
EPSS-0.08% / 0.18%
||
7 Day CHG~0.00%
Published-20 Mar, 2026 | 18:27
Updated-26 Mar, 2026 | 13:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cryptomator for IOS: Tampered vault configuration allows MITM attack on Hub API

Cryptomator for IOS offers multi-platform transparent client-side encryption for files in the cloud. Prior to version 2.8.3, an integrity check vulnerability allows an attacker tamper with the vault configuration file leading to a man-in-the-middle vulnerability in Hub key loading mechanism. Before this fix, the client trusted endpoints from the vault config without host authenticity checks, which could allow token exfiltration by mixing a legitimate auth endpoint with a malicious API endpoint. Impacted are users unlocking Hub-backed vaults with affected client versions in environments where an attacker can alter the vault.cryptomator file. This issue has been patched in version 2.8.3.

Action-Not Available
Vendor-cryptomatorcryptomatorApple Inc.
Product-iphone_oscryptomatorios
CWE ID-CWE-346
Origin Validation Error
CWE ID-CWE-354
Improper Validation of Integrity Check Value
CWE ID-CWE-451
User Interface (UI) Misrepresentation of Critical Information
CWE ID-CWE-923
Improper Restriction of Communication Channel to Intended Endpoints
CVE-2026-32317
Matching Score-10
Assigner-GitHub, Inc.
ShareView Details
Matching Score-10
Assigner-GitHub, Inc.
CVSS Score-7.6||HIGH
EPSS-0.06% / 0.01%
||
7 Day CHG~0.00%
Published-20 Mar, 2026 | 18:29
Updated-26 Mar, 2026 | 13:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cryptomator for Android: Tampered vault configuration allows MITM attack on Hub API

Cryptomator for Android offers multi-platform transparent client-side encryption for files in the cloud. Prior to version 1.12.3, an integrity check vulnerability allows an attacker tamper with the vault configuration file leading to a man-in-the-middle vulnerability in Hub key loading mechanism. Before this fix, the client trusted endpoints from the vault config without host authenticity checks, which could allow token exfiltration by mixing a legitimate auth endpoint with a malicious API endpoint. Impacted are users unlocking Hub-backed vaults with affected client versions in environments where an attacker can alter the vault.cryptomator file. This issue has been patched in version 1.12.3.

Action-Not Available
Vendor-cryptomatorcryptomatorGoogle LLC
Product-cryptomatorandroidandroid
CWE ID-CWE-346
Origin Validation Error
CWE ID-CWE-354
Improper Validation of Integrity Check Value
CWE ID-CWE-451
User Interface (UI) Misrepresentation of Critical Information
CWE ID-CWE-923
Improper Restriction of Communication Channel to Intended Endpoints
CVE-2026-42558
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.6||HIGH
EPSS-0.11% / 1.54%
||
7 Day CHG-0.04%
Published-10 Jun, 2026 | 21:39
Updated-11 Jun, 2026 | 15:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Xibo Vulnerable to Stored XSS and Iframe Sandbox Escape via Data Connector Script in DataSet

Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to 4.4.2, a vulnerability chain consisting of Stored XSS and Iframe Sandbox escape in the Xibo CMS allows users with DataSet permissions to use the Data Connector functionality to craft messages which escape the sandbox and facilitate XSS. Exploitation of the vulnerability is possible on behalf of an authorized user who has both of the following privileges, which are not granted to non-admins as standard: Include "Add DataSet" button to allow for additional DataSets to be created independently to Layouts Users should upgrade to version 4.4.2 which fixes this issue. Upgrading to a fixed version is necessary to remediate. Users unable to upgrade should revoke such privileges from users they do not trust.

Action-Not Available
Vendor-xibosignage
Product-xibo-cms
CWE ID-CWE-116
Improper Encoding or Escaping of Output
CWE ID-CWE-346
Origin Validation Error
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Details not found