CVE-2026-32310

Name of the Vulnerable Software and Affected Versions Cryptomator versions 1.6.0 through 1.19.0

Description Cryptomator encrypts data stored in cloud infrastructure. Versions prior to 1.19.1 parse vault configuration before verifying its integrity. The masterkeyfile loader utilizes the unverified key ID as a filesystem path, resolving keyId.getSchemeSpecificPart() against the vault path and checking for file existence using Files.exists(). This allows a malicious vault configuration to leverage parent directory escapes, absolute local paths, or UNC paths (e.g., masterkeyfile://attacker/share/masterkey.cryptomator). Specifically on Windows, the UNC variant can trigger outbound SMB access before passphrase entry due to path resolution. The vulnerable function is Files.exists(). The vulnerable parameter is keyId.

Recommendations Update to version 1.19.1 or later.