SB20260420111 - Improper Authorization in Cryptomator
Published: April 20, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Improper Authorization (CVE-ID: CVE-2026-33472)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in CheckHostTrustController.getAuthority() when validating hub configuration URLs from a cloud-synced vault. A remote user can modify the vault.cryptomator file to downgrade the OAuth token exchange to plaintext HTTP and disclose sensitive information.
User interaction is required to open and unlock the tampered vault, and successful exploitation also requires a network-positioned adversary to intercept the plaintext token exchange.
Remediation
Install update from vendor's website.