Description
A vulnerability was identified in AliasVault App up to 0.25.3 on Android/iOS. This vulnerability affects unknown code of the file shared_prefs/aliasvault.xml of the component Backup Handler. The manipulation of the argument accessToken/refreshToken/metadata/key_derivation_params/auth_methods leads to exposure of backup file to an unauthorized control sphere. An attack has to be approached locally. The attack is considered to have high complexity. It is stated that the exploitability is difficult. The exploit is publicly available and might be used. Upgrading to version 0.26.0 is able to resolve this issue. The identifier of the patch is 873ecc03f92238e162f98a068ad56069a922b4f6/0bd662320174d8265dfe3b05a04bc13efc960532. It is recommended to upgrade the affected component. The creator of the software explains: "Because of AliasVault's zero-knowledge encryption design, the tokens stored in aliasvault.xml are API session tokens that cannot decrypt the vault on their own: the master password is required for that. So while this isn't a direct vault compromise risk, there's no reason to include them in backups either."
Published: 2026-02-23
Score: 2 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data exposure (information disclosure).
Action: Patch.
AI Analysis

Impact

The AliasVault App contains a flaw in its Backup Handler that allows a local attacker to manipulate stored arguments within the shared_prefs/aliasvault.xml file. When the values of accessToken, refreshToken, metadata, key_derivation_params, or auth_methods are altered, the app can expose the backup file to an unauthorized control sphere. Although the tokens themselves cannot decrypt the vault without the master password, their exposure still represents a security risk.

Affected Systems

The vulnerability affects AliasVault App versions up to 0.25.3 on Android and iOS. Backups created by these versions are susceptible to tampering. The issue is resolved in version 0.26.0, which includes a patch identified by commit 873ecc03f92238e162f98a068ad56069a922b4f6.

Risk and Exploitability

The CVSS score is 2, indicating a low severity impact. The EPSS is under 1%, implying a low likelihood of exploitation. Nevertheless, the exploit requires local access and has high complexity, making it difficult but not impossible for a skilled adversary. The vulnerability is not currently listed in the CISA KEV catalog. Attackers would need to gain local device control to manipulate the XML preferences, but once successful they could extract backup data that contains session tokens.

Generated by OpenCVE AI on April 18, 2026 at 11:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AliasVault to version 0.26.0 or later to receive the fixed Backup Handler logic.
  • Disable or defer automatic backups until the app is updated, so that unpatched session tokens are not stored in readily accessible files.
  • Protect the device with strong authentication and restrict installation of unknown apps to mitigate the local exploitation requirement.

Generated by OpenCVE AI on April 18, 2026 at 11:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:aliasvault:aliasvault:*:*:*:*:*:*:*:*

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Aliasvault
Aliasvault aliasvault
Vendors & Products Aliasvault
Aliasvault aliasvault

Mon, 23 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 06:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in AliasVault App up to 0.25.3 on Android/iOS. This vulnerability affects unknown code of the file shared_prefs/aliasvault.xml of the component Backup Handler. The manipulation of the argument accessToken/refreshToken/metadata/key_derivation_params/auth_methods leads to exposure of backup file to an unauthorized control sphere. An attack has to be approached locally. The attack is considered to have high complexity. It is stated that the exploitability is difficult. The exploit is publicly available and might be used. Upgrading to version 0.26.0 is able to resolve this issue. The identifier of the patch is 873ecc03f92238e162f98a068ad56069a922b4f6/0bd662320174d8265dfe3b05a04bc13efc960532. It is recommended to upgrade the affected component. The creator of the software explains: "Because of AliasVault's zero-knowledge encryption design, the tokens stored in aliasvault.xml are API session tokens that cannot decrypt the vault on their own: the master password is required for that. So while this isn't a direct vault compromise risk, there's no reason to include them in backups either."
Title AliasVault App Backup aliasvault.xml backup
Weaknesses CWE-285
CWE-530
References
Metrics cvssV2_0

{'score': 1, 'vector': 'AV:L/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 2.5, 'vector': 'CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 2.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 2, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Aliasvault Aliasvault
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T13:23:56.502Z

Reserved: 2026-02-22T14:47:26.948Z

Link: CVE-2026-2974

cve-icon Vulnrichment

Updated: 2026-02-23T13:23:51.249Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-23T06:16:16.760

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2974

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:15:35Z

Weaknesses