Description
AliasVault is a privacy-first password manager with built-in email aliasing. AliasVault Android versions 0.24.0 through 0.25.2 contained an issue in how passkey requests from Android apps were validated. Under certain local conditions, a malicious app could attempt to obtain a passkey response for a site it was not authorized to access. The issue involved incomplete validation of calling app identity, origin, and RP ID in the Android credential provider. This issue was fixed in AliasVault Android 0.25.3.
Published: 2026-01-14
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Credential Access
Action: Apply Patch
AI Analysis

Impact

AliasVault is a privacy‑first password manager that provides an Android credential provider for passkey requests. In versions 0.24.0 through 0.25.2 the provider did not fully validate the calling app’s identity, origin, and RP ID, allowing a malicious local Android app to obtain a passkey response for a site it was not authorized to access. This omission is a broken validation vulnerability (CWE‑346) that can expose user credentials and compromise confidentiality.

Affected Systems

AliasVault Android application, versions 0.24.0 to 0.25.2 (vendor: AliasVault)

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity. The EPSS score of less than 1% suggests a low probability of exploitation at the current time, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a malicious app to run on the same device and to trigger a passkey request; the attacker can then receive a passkey response for a site it was not authorized to access, effectively bypassing normal authorization controls.

Generated by OpenCVE AI on April 18, 2026 at 16:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AliasVault to version 0.25.3 or later to fix the origin validation issue.
  • Audit and remove any unknown or untrusted Android applications that could send unauthorized passkey requests.
  • Enforce device policy to restrict credential provider access to trusted applications only, and monitor for unusual credential request activity.

Generated by OpenCVE AI on April 18, 2026 at 16:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:aliasvault:aliasvault:*:*:*:*:*:*:*:*

Thu, 15 Jan 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Aliasvault
Aliasvault aliasvault
Google
Google android
Vendors & Products Aliasvault
Aliasvault aliasvault
Google
Google android

Wed, 14 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 17:00:00 +0000

Type Values Removed Values Added
Description AliasVault is a privacy-first password manager with built-in email aliasing. AliasVault Android versions 0.24.0 through 0.25.2 contained an issue in how passkey requests from Android apps were validated. Under certain local conditions, a malicious app could attempt to obtain a passkey response for a site it was not authorized to access. The issue involved incomplete validation of calling app identity, origin, and RP ID in the Android credential provider. This issue was fixed in AliasVault Android 0.25.3.
Title AliasVault is Missing Origin Validation in Android Passkey Credential Provider
Weaknesses CWE-346
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N'}

Subscriptions

Aliasvault Aliasvault
Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-14T16:59:24.012Z

Reserved: 2026-01-08T19:23:09.855Z

Link: CVE-2026-22694

cve-icon Vulnrichment

Updated: 2026-01-14T16:59:21.378Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-14T17:16:08.810

Modified: 2026-03-05T13:45:38.950

Link: CVE-2026-22694

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:30:05Z

Weaknesses