{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33472", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T16:16:48.969Z", "datePublished": "2026-04-16T21:12:37.076Z", "dateUpdated": "2026-04-16T21:12:37.076Z"}, "containers": {"cna": {"title": "Cryptomator Hub OAuth token exchange HTTP downgrade via getAuthority() scheme confusion (CVE-2026-32303 bypass)", "problemTypes": [{"descriptions": [{"cweId": "CWE-305", "lang": "en", "description": "CWE-305: Authentication Bypass by Primary Weakness", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-319", "lang": "en", "description": "CWE-319: Cleartext Transmission of Sensitive Information", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/cryptomator/cryptomator/security/advisories/GHSA-9q8x-whrw-x44p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/cryptomator/cryptomator/security/advisories/GHSA-9q8x-whrw-x44p"}, {"name": "https://github.com/cryptomator/cryptomator/pull/4179", "tags": ["x_refsource_MISC"], "url": "https://github.com/cryptomator/cryptomator/pull/4179"}, {"name": "https://github.com/cryptomator/cryptomator/releases/tag/1.19.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/cryptomator/cryptomator/releases/tag/1.19.2"}], "affected": [{"vendor": "cryptomator", "product": "cryptomator", "versions": [{"version": ">= 1.19.1, < 1.19.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-16T21:12:37.076Z"}, "descriptions": [{"lang": "en", "value": "Cryptomator is an open-source client-side encryption application for cloud storage. Version 1.19.1 contains a logic flaw in CheckHostTrustController.getAuthority() that allows an attacker to bypass the security fix for CVE-2026-32303. The method hardcodes the URI scheme based on port number, causing HTTPS URLs with port 80 to produce the same authority string as HTTP URLs, which defeats both the consistency check and the HTTP block validation. An attacker with write access to a cloud-synced vault.cryptomator file can craft a Hub configuration where apiBaseUrl and authEndpoint use HTTPS with port 80 to pass auto-trust validation, while tokenEndpoint uses plaintext HTTP. The vault is auto-trusted without user prompt, and a network-positioned attacker can intercept the OAuth token exchange to access the Cryptomator Hub API as the victim. This issue has been fixed in version 1.19.2."}], "source": {"advisory": "GHSA-9q8x-whrw-x44p", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cryptomator is an open-source client-side encryption application for cloud storage. Version 1.19.1 contains a logic flaw in CheckHostTrustController.getAuthority() that allows an attacker to bypass the security fix for CVE-2026-32303. The method hardcodes the URI scheme based on port number, causing HTTPS URLs with port 80 to produce the same authority string as HTTP URLs, which defeats both the consistency check and the HTTP block validation. An attacker with write access to a cloud-synced vault.cryptomator file can craft a Hub configuration where apiBaseUrl and authEndpoint use HTTPS with port 80 to pass auto-trust validation, while tokenEndpoint uses plaintext HTTP. The vault is auto-trusted without user prompt, and a network-positioned attacker can intercept the OAuth token exchange to access the Cryptomator Hub API as the victim. This issue has been fixed in version 1.19.2."}], "id": "CVE-2026-33472", "lastModified": "2026-04-16T22:16:37.583", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-16T22:16:37.583", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/cryptomator/cryptomator/pull/4179"}, {"source": "security-advisories@github.com", "url": "https://github.com/cryptomator/cryptomator/releases/tag/1.19.2"}, {"source": "security-advisories@github.com", "url": "https://github.com/cryptomator/cryptomator/security/advisories/GHSA-9q8x-whrw-x44p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-305"}, {"lang": "en", "value": "CWE-319"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.19.1,1.19.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "cryptomator", "source": "cna", "vendor": "cryptomator"}, "product": "cryptomator", "vendor": "cryptomator"}], "analysis": {"en": {"generated_at": "2026-04-17T02:26:53.645501+00:00", "value": {"mitigation_remediation": ["Upgrade Cryptomator to version 1.19.2 or later", "Restrict write access to vault.cryptomator files to authorized users only", "Validate that Hub configuration URLs use standard HTTPS ports (443) and avoid HTTPS URLs with port 80"], "summary": {"action": "Patch Now", "impact": "Authentication bypass allowing token theft"}, "threat_synthesis": {"affected_systems": "Cryptomator version 1.19.1 is affected; the issue is fixed in version 1.19.2. No other vendors or products are listed.", "description_and_impact": "Cryptomator 1.19.1 contains a logic flaw in the CheckHostTrustController.getAuthority() method that hardcodes the URI scheme based on port number. This flaw causes HTTPS URLs using port 80 to be treated the same as HTTP URLs, effectively bypassing consistency checks and the HTTP block validation. An attacker who can modify a vault.cryptomator file can craft a Hub configuration where the apiBaseUrl and authEndpoint use HTTPS on port 80 to pass auto\u2011trust validation while the tokenEndpoint uses plain HTTP. The vault is automatically trusted without user consent, allowing a network\u2011positioned attacker to intercept the OAuth token exchange and gain unauthorized access to the Cryptomator Hub API as the victim.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 4.8 (moderate). EPSS is not available and the vulnerability is not in the CISA KEV catalog. Exploitation requires an attacker with write access to a cloud\u2011synced vault.cryptomator file, which can be achieved if the file is accessible to untrusted parties. The attack is thus limited to environments where such file modification is possible, and no remote code execution is directly achieved. The overall risk is moderate, with a realistic threat from compromised or poorly secured cloud storage."}}}}, "created": "2026-04-16T22:30:03.066789+00:00", "updated": "2026-04-17T02:30:07.315708+00:00", "vendors": ["cryptomator", "cryptomator$PRODUCT$cryptomator"]}