SB20260420110 - Multiple vulnerabilities in Cryptomator



SB20260420110 - Multiple vulnerabilities in Cryptomator

Published: April 20, 2026

Security Bulletin ID SB20260420110
CSH Severity
High
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 vulnerabilities.


1) Download of code without integrity check (CVE-ID: N/A)

CWE-ID: CWE-494 - Download of Code Without Integrity Check

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code in release pipelines and inject code into officially built artifacts.

The vulnerability exists due to download of code without integrity check in the release and packaging pipeline when downloading executable third-party artifacts over HTTPS from mutable release URLs. A remote attacker can replace or serve a crafted executable from the referenced upstream path to execute arbitrary code in release pipelines and inject code into officially built artifacts.

On Windows, the downloaded executable is embedded as a WiX ExePackage and may run with elevated privileges on end-user systems when its install condition matches. On Linux, the downloaded AppImage tool is executed directly in CI and its output is used to build signed release artifacts.


2) Path traversal (CVE-ID: CVE-2026-32310)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to path traversal in the masterkeyfile loader when processing an unverified vault configuration during the unlock flow. A remote user can supply a crafted masterkeyfile key identifier that resolves to a local or UNC path to disclose sensitive information.

User interaction is required to open or unlock a malicious vault, and on Windows a UNC path can trigger outbound SMB access before the passphrase is entered.


3) Improper restriction of communication channel to intended endpoints (CVE-ID: CVE-2026-32303)

CWE-ID: CWE-923 - Improper Restriction of Communication Channel to Intended Endpoints

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper restriction of communication channel to intended endpoints in the Hub key loading mechanism when processing a tampered vault configuration file during unlock. A remote user can alter the vault.cryptomator file to disclose sensitive information.

User interaction is required to unlock a Hub-backed vault, and vault data was not exposed because Cryptomator Hub uses end-to-end encryption.


4) Cleartext transmission of sensitive information (CVE-ID: CVE-2026-32309)

CWE-ID: CWE-319 - Cleartext Transmission of Sensitive Information

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to observe or tamper with sensitive authentication and key-loading traffic.

The vulnerability exists due to cleartext transmission of sensitive information in the Hub unlock flow when processing Hub endpoints from vault metadata without enforcing HTTPS. A remote attacker can supply a crafted vault configuration or intercept network traffic to observe or alter sensitive authentication and key-loading traffic.

The issue affects OAuth authorization and token exchange, device registration data, encrypted user keys, and vault access tokens, and can also direct the client to attacker-controlled endpoints without a trust prompt.


Remediation

Install update from vendor's website.