Main Vulnerability Database Vulnerabilities #VU126586

Download of code without integrity check in Cryptomator - #VU126586

Published: April 20, 2026

Vulnerability identifier: #VU126586

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: N/A

CWE-ID: CWE-494

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: cryptomator

Affected software:
Cryptomator

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code in release pipelines and inject code into officially built artifacts.

The vulnerability exists due to download of code without integrity check in the release and packaging pipeline when downloading executable third-party artifacts over HTTPS from mutable release URLs. A remote attacker can replace or serve a crafted executable from the referenced upstream path to execute arbitrary code in release pipelines and inject code into officially built artifacts.

On Windows, the downloaded executable is embedded as a WiX ExePackage and may run with elevated privileges on end-user systems when its install condition matches. On Linux, the downloaded AppImage tool is executed directly in CI and its output is used to build signed release artifacts.

Remediation

Install security update from vendor's website.

Sources

https://github.com/cryptomator/cryptomator/security/advisories/GHSA-q8q3-2cf9-cxrp

Download of code without integrity check in Cryptomator - #VU126586

Detailed vulnerability description

Remediation

Sources

Please verify you're human