CVE-2026-32309
Published: 20 March 2026
Summary
CVE-2026-32309 is a high-severity Cleartext Transmission of Sensitive Information (CWE-319) vulnerability in Cryptomator Cryptomator. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 5.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-8 (Transmission Confidentiality and Integrity) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires protection of the confidentiality and integrity of transmitted information such as bearer tokens over networks, directly preventing exposure via plaintext HTTP to Hub endpoints.
Mandates timely identification, reporting, and correction of flaws like this CVE, achieved by updating Cryptomator to version 1.19.1 which enforces HTTPS.
Monitors and controls communications at external boundaries, restricting insecure HTTP flows to Hub endpoints derived from vault metadata.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability permits plaintext HTTP transmission of OAuth bearer tokens and endpoint data, directly enabling an active network attacker to perform man-in-the-middle interception or tampering of authentication material.
NVD Description
Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.1, the Hub-based unlock flow explicitly supports hub+http and consumes Hub endpoints from vault metadata without enforcing HTTPS. As a result, a vault configuration can drive OAuth and key-loading…
more
traffic over plaintext HTTP or other insecure endpoint combinations. An active network attacker can tamper with or observe this traffic. Even when the vault key is encrypted for the device, bearer tokens and endpoint-level trust decisions are still exposed to downgrade and interception. This issue has been patched in version 1.19.1.
Deeper analysisAI
CVE-2026-32309 is a vulnerability in Cryptomator, an open-source tool for encrypting data stored on cloud infrastructure. In versions prior to 1.19.1, the Hub-based unlock flow explicitly supports hub+http schemes and consumes Hub endpoints directly from vault metadata without enforcing HTTPS. This allows vault configurations to route OAuth and key-loading traffic over plaintext HTTP or other insecure endpoint combinations, exposing sensitive communications to interception or tampering.
An active network attacker positioned to intercept traffic between the client and Hub endpoints can exploit this issue with network access and low complexity, requiring no privileges or user interaction. Successful exploitation enables observation or manipulation of bearer tokens used in OAuth flows and endpoint trust decisions, even when the vault key itself is encrypted for the device. The vulnerability yields high confidentiality impact with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-319 (Cleartext Transmission of Sensitive Information).
The issue has been addressed in Cryptomator version 1.19.1, as detailed in the project's release notes and security advisory. Security practitioners should update to 1.19.1 or later and review vault configurations for insecure endpoint schemes, enforcing HTTPS where possible to mitigate risks from network path compromises.
Details
- CWE(s)