Cryptomator Cloud Storage App Allows Unauthorized Access to Hub API

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

4.8

Cryptomator Cloud Storage App Allows Unauthorized Access to Hub API

CVE-2026-33472

Summary

A security flaw in Cryptomator version 1.19.1 allows a hacker to bypass security checks and access your encrypted cloud storage hub without your permission. This can happen if you have a malicious actor with access to your cloud-synced vault. Update to version 1.19.2 to fix this issue.

Original title

Original description

Cryptomator is an open-source client-side encryption application for cloud storage. Version 1.19.1 contains a logic flaw in CheckHostTrustController.getAuthority() that allows an attacker to bypass the security fix for CVE-2026-32303. The method hardcodes the URI scheme based on port number, causing HTTPS URLs with port 80 to produce the same authority string as HTTP URLs, which defeats both the consistency check and the HTTP block validation. An attacker with write access to a cloud-synced vault.cryptomator file can craft a Hub configuration where apiBaseUrl and authEndpoint use HTTPS with port 80 to pass auto-trust validation, while tokenEndpoint uses plaintext HTTP. The vault is auto-trusted without user prompt, and a network-positioned attacker can intercept the OAuth token exchange to access the Cryptomator Hub API as the victim. This issue has been fixed in version 1.19.2.

nvd CVSS3.1 4.8

Vulnerability type

CWE-305

CWE-319 Cleartext Transmission of Sensitive Information

Published: 16 Apr 2026 · Updated: 17 Apr 2026 · First seen: 16 Apr 2026