CVE-2026-32317

High

Published: 20 March 2026

Published

20 March 2026

Modified

26 March 2026

KEV Added

—

Patch

—

CVSS Score 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

EPSS Score 0.0001 2.3th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32317 is a high-severity Origin Validation Error (CWE-346) vulnerability in Cryptomator Cryptomator. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 2.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-5 (Access Restrictions for Change) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Adversary-in-the-Middle (T1557) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-7 Software, Firmware, and Information Integrity good match

prevent

Directly requires integrity verification of the vault.cryptomator configuration file to prevent tampering that leads to MITM in Hub key loading.

CM-5 Access Restrictions for Change good match

prevent

Restricts access to changes on the vault configuration file, mitigating the PR:L requirement for attackers to tamper with it.

SI-2 Flaw Remediation good match

prevent

Ensures timely patching to version 1.12.3 or later, which fixes the integrity check and endpoint validation flaws in Cryptomator for Android.

MITRE ATT&CK Enterprise TechniquesAI

T1557 Adversary-in-the-Middle Credential Access

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.

attack.mitre.org →

T1528 Steal Application Access Token Credential Access

Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.

attack.mitre.org →

Why these techniques?

Vuln enables MITM via tampered vault config (T1557) leading directly to application token exfiltration (T1528).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Cryptomator for Android offers multi-platform transparent client-side encryption for files in the cloud. Prior to version 1.12.3, an integrity check vulnerability allows an attacker tamper with the vault configuration file leading to a man-in-the-middle vulnerability in Hub key loading mechanism.…

Before this fix, the client trusted endpoints from the vault config without host authenticity checks, which could allow token exfiltration by mixing a legitimate auth endpoint with a malicious API endpoint. Impacted are users unlocking Hub-backed vaults with affected client versions in environments where an attacker can alter the vault.cryptomator file. This issue has been patched in version 1.12.3.

Deeper analysisAI

CVE-2026-32317 is an integrity check vulnerability in Cryptomator for Android, a multi-platform client-side encryption tool for cloud-stored files. In versions prior to 1.12.3, attackers can tamper with the vault configuration file (vault.cryptomator), enabling a man-in-the-middle attack on the Hub key loading mechanism. The client previously trusted endpoints specified in the vault config without verifying host authenticity, allowing manipulation such as mixing a legitimate authentication endpoint with a malicious API endpoint. This issue affects users of Hub-backed vaults and is rated 7.6 on the CVSS 3.1 scale (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N), with associated CWEs including 346 (Origin Validation Error), 354 (Improper Validation of Integrity Check Value), 451 (User Interface Misrepresentation), and 923 (Improper Restriction of Communication Channel to Intended Endpoints).

Exploitation requires an attacker with the ability to modify the vault.cryptomator file in environments where the affected Cryptomator Android client (pre-1.12.3) is used to unlock Hub-backed vaults. This typically demands low privileges (PR:L) and user interaction (UI:R), such as the victim opening the vault. Successful attacks enable token exfiltration, compromising confidentiality (C:H) through network-accessible (AV:N) means with low complexity (AC:L) and elevated scope (S:C), though integrity (I:L) and availability (A:N) impacts are limited.

The vulnerability has been patched in Cryptomator for Android version 1.12.3, as detailed in the project's GitHub release notes (https://github.com/cryptomator/android/releases/tag/1.12.3) and security advisory (https://github.com/cryptomator/android/security/advisories/GHSA-876q-q3mm-fcvj). Security practitioners should advise users to update to 1.12.3 or later and verify vault configuration integrity in untrusted environments.

Details

CWE(s): CWE-346 CWE-354 CWE-451 CWE-923

Affected Products

cryptomator

≤ 1.12.2

CVEs Like This One

CVE-2026-32303Same product: Cryptomator Cryptomator

CVE-2026-32318Same product: Cryptomator Cryptomator

CVE-2026-32309Same product: Cryptomator Cryptomator

CVE-2025-48574Same product: Google Android

CVE-2025-36920Same product: Google Android

CVE-2026-0011Same product: Google Android

CVE-2025-36897Same product: Google Android

CVE-2026-0020Same product: Google Android

CVE-2026-0109Same product: Google Android

CVE-2026-0117Same product: Google Android

References

https://github.com/cryptomator/android/releases/tag/1.12.3
Release Notes · security-advisories@github.com
https://github.com/cryptomator/android/security/advisories/GHSA-876q-q3mm-fcvj
Vendor Advisory · security-advisories@github.com