Description
Cryptomator is an open-source client-side encryption application for cloud storage. Version 1.19.1 contains a logic flaw in CheckHostTrustController.getAuthority() that allows an attacker to bypass the security fix for CVE-2026-32303. The method hardcodes the URI scheme based on port number, causing HTTPS URLs with port 80 to produce the same authority string as HTTP URLs, which defeats both the consistency check and the HTTP block validation. An attacker with write access to a cloud-synced vault.cryptomator file can craft a Hub configuration where apiBaseUrl and authEndpoint use HTTPS with port 80 to pass auto-trust validation, while tokenEndpoint uses plaintext HTTP. The vault is auto-trusted without user prompt, and a network-positioned attacker can intercept the OAuth token exchange to access the Cryptomator Hub API as the victim. This issue has been fixed in version 1.19.2.
Published: 2026-04-16
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication bypass allowing token theft
Action: Patch Now
AI Analysis

Impact

Cryptomator 1.19.1 contains a logic flaw in the CheckHostTrustController.getAuthority() method that hardcodes the URI scheme based on port number. This flaw causes HTTPS URLs using port 80 to be treated the same as HTTP URLs, effectively bypassing consistency checks and the HTTP block validation. An attacker who can modify a vault.cryptomator file can craft a Hub configuration where the apiBaseUrl and authEndpoint use HTTPS on port 80 to pass auto‑trust validation while the tokenEndpoint uses plain HTTP. The vault is automatically trusted without user consent, allowing a network‑positioned attacker to intercept the OAuth token exchange and gain unauthorized access to the Cryptomator Hub API as the victim.

Affected Systems

Cryptomator version 1.19.1 is affected; the issue is fixed in version 1.19.2. No other vendors or products are listed.

Risk and Exploitability

The vulnerability carries a CVSS score of 4.8 (moderate). EPSS is not available and the vulnerability is not in the CISA KEV catalog. Exploitation requires an attacker with write access to a cloud‑synced vault.cryptomator file, which can be achieved if the file is accessible to untrusted parties. The attack is thus limited to environments where such file modification is possible, and no remote code execution is directly achieved. The overall risk is moderate, with a realistic threat from compromised or poorly secured cloud storage.

Generated by OpenCVE AI on April 17, 2026 at 02:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cryptomator to version 1.19.2 or later
  • Restrict write access to vault.cryptomator files to authorized users only
  • Validate that Hub configuration URLs use standard HTTPS ports (443) and avoid HTTPS URLs with port 80

Generated by OpenCVE AI on April 17, 2026 at 02:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Cryptomator
Cryptomator cryptomator
Vendors & Products Cryptomator
Cryptomator cryptomator

Thu, 16 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Cryptomator is an open-source client-side encryption application for cloud storage. Version 1.19.1 contains a logic flaw in CheckHostTrustController.getAuthority() that allows an attacker to bypass the security fix for CVE-2026-32303. The method hardcodes the URI scheme based on port number, causing HTTPS URLs with port 80 to produce the same authority string as HTTP URLs, which defeats both the consistency check and the HTTP block validation. An attacker with write access to a cloud-synced vault.cryptomator file can craft a Hub configuration where apiBaseUrl and authEndpoint use HTTPS with port 80 to pass auto-trust validation, while tokenEndpoint uses plaintext HTTP. The vault is auto-trusted without user prompt, and a network-positioned attacker can intercept the OAuth token exchange to access the Cryptomator Hub API as the victim. This issue has been fixed in version 1.19.2.
Title Cryptomator Hub OAuth token exchange HTTP downgrade via getAuthority() scheme confusion (CVE-2026-32303 bypass)
Weaknesses CWE-305
CWE-319
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Cryptomator Cryptomator
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-16T21:12:37.076Z

Reserved: 2026-03-20T16:16:48.969Z

Link: CVE-2026-33472

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-16T22:16:37.583

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-33472

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T02:30:07Z

Weaknesses