Cleartext transmission of sensitive information in Cryptomator - CVE-2026-32309
Published: April 20, 2026
Vulnerability identifier: #VU126589
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-32309
CWE-ID: CWE-319
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: cryptomator
Affected software:
Cryptomator
Cryptomator
Detailed vulnerability description
The vulnerability allows a remote attacker to observe or tamper with sensitive authentication and key-loading traffic.
The vulnerability exists due to cleartext transmission of sensitive information in the Hub unlock flow when processing Hub endpoints from vault metadata without enforcing HTTPS. A remote attacker can supply a crafted vault configuration or intercept network traffic to observe or alter sensitive authentication and key-loading traffic.
The issue affects OAuth authorization and token exchange, device registration data, encrypted user keys, and vault access tokens, and can also direct the client to attacker-controlled endpoints without a trust prompt.
How to mitigate CVE-2026-32309
Install security update from vendor's website.