CVE-2026-32303

Name of the Vulnerable Software and Affected Versions Cryptomator versions prior to 1.19.1

Description Cryptomator encrypts data stored on cloud infrastructure. A flaw in integrity checks allows tampering with the vault configuration file, potentially leading to a man-in-the-middle issue during Hub key loading. Before version 1.19.1, the client trusted endpoints from the vault configuration without verifying host authenticity. This could allow an attacker to exfiltrate tokens by substituting a legitimate authentication endpoint with a malicious API endpoint. The issue impacts users unlocking Hub-backed vaults with vulnerable client versions in environments where an attacker can modify the vault.cryptomator file.

Recommendations Update to version 1.19.1 or later.