CVE-2026-32303
Published: 20 March 2026
Summary
CVE-2026-32303 is a high-severity Origin Validation Error (CWE-346) vulnerability in Cryptomator Cryptomator. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 5.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-7 (Software, Firmware, and Information Integrity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires integrity verification of the vault.cryptomator configuration file to detect tampering and prevent trusting malicious endpoints specified within it.
Mandates timely flaw remediation by patching Cryptomator to version 1.19.1 or later, which implements the missing integrity checks for the vault configuration.
Establishes processes to control and approve changes to the vault.cryptomator file, reducing the attacker's ability to tamper with it despite low privileges.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability's core impact is enabling token exfiltration to a malicious endpoint via tampered vault config and missing endpoint validation, which directly maps to stealing application access tokens (T1528) for subsequent unauthorized API/Hub access.
NVD Description
Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.1, an integrity check vulnerability allows an attacker to tamper with the vault configuration file leading to a man-in-the-middle vulnerability in Hub key loading mechanism. Before this fix, the…
more
client trusted endpoints from the vault config without host authenticity checks, which could allow token exfiltration by mixing a legitimate auth endpoint with a malicious API endpoint. Impacted are users unlocking Hub-backed vaults with affected client versions in environments where an attacker can alter the vault.cryptomator file. This issue has been patched in version 1.19.1.
Deeper analysisAI
CVE-2026-32303 is an integrity check vulnerability in Cryptomator, an application that encrypts data stored on cloud infrastructure. It affects versions prior to 1.19.1, particularly the vault configuration file known as vault.cryptomator. The flaw enables an attacker to tamper with this file, resulting in a man-in-the-middle vulnerability during the Hub key loading mechanism. Prior to the fix, the client trusted endpoints specified in the vault config without performing host authenticity checks, which could facilitate token exfiltration by combining a legitimate authentication endpoint with a malicious API endpoint. The vulnerability carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N) and is associated with CWEs 346, 354, 451, and 923.
Exploitation targets users unlocking Hub-backed vaults using affected Cryptomator client versions in environments where an attacker can modify the vault.cryptomator file. The attacker requires low privileges (PR:L) and relies on network access (AV:N) with low attack complexity (AC:L), but user interaction is needed, such as unlocking the vault (UI:R). Successful attacks lead to high confidentiality impact (C:H) through token exfiltration, with the scope changing (S:C) due to the altered trust in endpoints.
Cryptomator addressed this issue in version 1.19.1. Mitigation details are documented in the patching commit at https://github.com/cryptomator/cryptomator/commit/6b82abcd80449a30b561d823193f9ecea542a625, pull request #4179 at https://github.com/cryptomator/cryptomator/pull/4179, release notes at https://github.com/cryptomator/cryptomator/releases/tag/1.19.1, and the security advisory at https://github.com/cryptomator/cryptomator/security/advisories/GHSA-34rf-rwr3-7g43. Security practitioners should ensure clients are updated to 1.19.1 or later and verify vault configuration integrity in untrusted environments.
Details
- CWE(s)