Main Vulnerability Database Vulnerabilities #VU126590

Improper Authorization in Cryptomator - CVE-2026-33472

Published: April 20, 2026

Vulnerability identifier: #VU126590

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-33472

CWE-ID: CWE-285

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: cryptomator

Affected software:
Cryptomator

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in CheckHostTrustController.getAuthority() when validating hub configuration URLs from a cloud-synced vault. A remote user can modify the vault.cryptomator file to downgrade the OAuth token exchange to plaintext HTTP and disclose sensitive information.

User interaction is required to open and unlock the tampered vault, and successful exploitation also requires a network-positioned adversary to intercept the plaintext token exchange.

How to mitigate CVE-2026-33472

Install security update from vendor's website.

Sources

https://github.com/cryptomator/cryptomator/security/advisories/GHSA-9q8x-whrw-x44p

Improper Authorization in Cryptomator - CVE-2026-33472

Detailed vulnerability description

How to mitigate CVE-2026-33472

Sources

Please verify you're human