CVE-2026-33472

Name of the Vulnerable Software and Affected Versions Cryptomator version 1.19.1

Description A logic flaw exists in the getAuthority() function of the CheckHostTrustController. The method hardcodes the URI scheme based on the port number, which results in HTTPS URLs using port 80 producing the same authority string as HTTP URLs. This bypasses the consistency check and HTTP block validation. An attacker with write access to a cloud-synced vault.cryptomator file can configure the apiBaseUrl and authEndpoint variables to use HTTPS with port 80 to pass auto-trust validation, while the tokenEndpoint variable uses plaintext HTTP. This allows the vault to be auto-trusted without a user prompt, enabling a network-positioned attacker to intercept the OAuth token exchange and access the Cryptomator Hub API as the victim.

Recommendations Update to version 1.19.2.