Description
Cryptomator for IOS offers multi-platform transparent client-side encryption for files in the cloud. Prior to version 2.8.3, an integrity check vulnerability allows an attacker tamper with the vault configuration file leading to a man-in-the-middle vulnerability in Hub key loading mechanism. Before this fix, the client trusted endpoints from the vault config without host authenticity checks, which could allow token exfiltration by mixing a legitimate auth endpoint with a malicious API endpoint. Impacted are users unlocking Hub-backed vaults with affected client versions in environments where an attacker can alter the vault.cryptomator file. This issue has been patched in version 2.8.3.
Published: 2026-03-20
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Man‑in‑the‑Middle via tampered vault configuration
Action: Patch
AI Analysis

Impact

A flaw in Cryptomator for iOS allows an attacker to modify the vault configuration file because the integrity check is missing. The tampered file points the client to a malicious Hub API endpoint without validating the host, enabling a man‑in‑the‑middle attack that can steal authentication tokens. This leads to unauthorized access to vault contents and possible credential theft.

Affected Systems

Cryptomator iOS clients before version 2.8.3. Users who unlock Hub‑backed vaults on iOS devices with these versions in environments where an attacker can alter the vault.cryptomator file. The vulnerability applies to all iPhone OS versions that run the affected app.

Risk and Exploitability

The CVSS score is 7.6, indicating a high severity. EPSS is below 1%, suggesting a low current probability of exploitation. The issue is not listed in CISA’s KEV catalog. Exploitation requires the attacker to be able to modify the vault configuration file, which could occur through local device compromise, a malicious installer, or remote file manipulation if the vault is stored on shared media. Once the file is altered, the iOS client trusts the rogue endpoint and can expose tokens, effectively performing a MITM. The likely attack vector is tampering with the vault file prior to use; no additional network privilege is required.

Generated by OpenCVE AI on March 26, 2026 at 16:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cryptomator iOS to version 2.8.3 or later.

Generated by OpenCVE AI on March 26, 2026 at 16:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple iphone Os
Cryptomator cryptomator
CPEs cpe:2.3:a:cryptomator:cryptomator:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Vendors & Products Apple
Apple iphone Os
Cryptomator cryptomator

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Cryptomator
Cryptomator ios
Vendors & Products Cryptomator
Cryptomator ios

Fri, 20 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description Cryptomator for IOS offers multi-platform transparent client-side encryption for files in the cloud. Prior to version 2.8.3, an integrity check vulnerability allows an attacker tamper with the vault configuration file leading to a man-in-the-middle vulnerability in Hub key loading mechanism. Before this fix, the client trusted endpoints from the vault config without host authenticity checks, which could allow token exfiltration by mixing a legitimate auth endpoint with a malicious API endpoint. Impacted are users unlocking Hub-backed vaults with affected client versions in environments where an attacker can alter the vault.cryptomator file. This issue has been patched in version 2.8.3.
Title Cryptomator for IOS: Tampered vault configuration allows MITM attack on Hub API
Weaknesses CWE-346
CWE-354
CWE-451
CWE-923
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N'}

Subscriptions

Apple Iphone Os
Cryptomator Cryptomator Ios
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T19:20:49.867Z

Reserved: 2026-03-11T21:16:21.660Z

Link: CVE-2026-32318

cve-icon Vulnrichment

Updated: 2026-03-20T19:20:29.845Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T19:16:16.277

Modified: 2026-03-26T13:48:30.950

Link: CVE-2026-32318

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:21:32Z

Weaknesses