Description
Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.1, the Hub-based unlock flow explicitly supports hub+http and consumes Hub endpoints from vault metadata without enforcing HTTPS. As a result, a vault configuration can drive OAuth and key-loading traffic over plaintext HTTP or other insecure endpoint combinations. An active network attacker can tamper with or observe this traffic. Even when the vault key is encrypted for the device, bearer tokens and endpoint-level trust decisions are still exposed to downgrade and interception. This issue has been patched in version 1.19.1.
Published: 2026-03-20
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive authentication data exposed via plaintext HTTP
Action: Apply Patch
AI Analysis

Impact

Cryptomator’s Hub unlocking flow permits Hub endpoints to be transmitted over plain HTTP and accepts unvalidated endpoint schemes. This flaw allows attacker to observe or tamper with OAuth bearer tokens and key‑loading traffic that should otherwise travel securely. The vulnerability is an instance of insecure transmission of sensitive information.

Affected Systems

All users of Cryptomator running versions older than 1.19.1 and employing the Hub‑based unlock mechanism are affected. The issue originates from vault configuration files that store Hub endpoint definitions without enforcing HTTPS.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity for confidentiality and integrity. EPSS is below 1 %, suggesting a low likelihood of exploitation. It is inferred that a network attacker who can intercept traffic to the Hub service could exploit the flaw. The vulnerability is not listed in the CISA KEV catalog. Exposing bearer tokens and endpoint decisions can lead to unauthorized access if an attacker successfully downgrades the communication channel.

Generated by OpenCVE AI on March 26, 2026 at 01:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Cryptomator to version 1.19.1 or later and verify the installation

Generated by OpenCVE AI on March 26, 2026 at 01:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:cryptomator:cryptomator:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Cryptomator
Cryptomator cryptomator
Vendors & Products Cryptomator
Cryptomator cryptomator

Fri, 20 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
Description Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.1, the Hub-based unlock flow explicitly supports hub+http and consumes Hub endpoints from vault metadata without enforcing HTTPS. As a result, a vault configuration can drive OAuth and key-loading traffic over plaintext HTTP or other insecure endpoint combinations. An active network attacker can tamper with or observe this traffic. Even when the vault key is encrypted for the device, bearer tokens and endpoint-level trust decisions are still exposed to downgrade and interception. This issue has been patched in version 1.19.1.
Title Cryptomator: Hub unlocking accepts plaintext HTTP and unvalidated endpoint schemes
Weaknesses CWE-319
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Cryptomator Cryptomator
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T15:24:06.876Z

Reserved: 2026-03-11T21:16:21.659Z

Link: CVE-2026-32309

cve-icon Vulnrichment

Updated: 2026-03-25T13:59:38.687Z

cve-icon NVD

Status : Modified

Published: 2026-03-20T19:16:15.733

Modified: 2026-03-27T16:16:24.147

Link: CVE-2026-32309

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:20:38Z

Weaknesses