CVE-2026-2974
Backup Token Exposure in AliasVault App Backup Handler
Publication date: 2026-02-23
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| aliasvault | aliasvault | to 0.25.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-530 | A backup file is stored in a directory or archive that is made accessible to unauthorized actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2974 is a vulnerability in the AliasVault app versions up to 0.25.3 on Android and iOS platforms. It involves insecure storage of sensitive authentication and cryptographic data such as access tokens, refresh tokens, metadata, key derivation parameters, and authentication methods in plaintext within the backup file shared_prefs/aliasvault.xml.'}, {'type': 'paragraph', 'content': "Because the app allowed native backups by default, these sensitive tokens were included in device and cloud backups, exposing them to unauthorized access if the backups were compromised. Although the tokens alone cannot decrypt the vault without the master password due to AliasVault's zero-knowledge encryption design, their exposure still poses a confidentiality risk."}, {'type': 'paragraph', 'content': 'The vulnerability requires local access to exploit and is considered difficult to exploit, but a proof-of-concept exploit is publicly available. The issue was fixed in version 0.26.0 by disabling native backups and excluding sensitive files from backups.'}] [2, 3, 4]
How can this vulnerability impact me? :
This vulnerability can impact you by exposing sensitive authentication tokens and cryptographic parameters through device or cloud backups. If an attacker gains access to these backups, they could steal access tokens and refresh tokens, potentially compromising your user accounts and active sessions.
While the tokens cannot decrypt the vault without the master password, their exposure increases the risk of unauthorized access to your AliasVault account sessions or API interactions.
The vulnerability requires local access and is difficult to exploit, but the exploit is publicly available, increasing the risk if backups are not properly secured or if the app is not updated.
Upgrading to AliasVault version 0.26.0 mitigates this risk by disabling native backups and excluding sensitive files from backups.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves sensitive data stored in plaintext within the file shared_prefs/aliasvault.xml on Android/iOS devices. Detection involves inspecting the presence and contents of this file on the device or within backups.'}, {'type': 'paragraph', 'content': "On Android devices, you can check if the app's backup is enabled and if the sensitive file is included in backups by inspecting the AndroidManifest.xml and backup rules."}, {'type': 'list_item', 'content': 'Use adb to check if backups are enabled for AliasVault app: adb shell dumpsys package aliasvault | grep allowBackup'}, {'type': 'list_item', 'content': 'Check if the file shared_prefs/aliasvault.xml exists and contains sensitive tokens: adb shell run-as aliasvault cat /data/data/aliasvault/shared_prefs/aliasvault.xml'}, {'type': 'list_item', 'content': 'Inspect backup rules if accessible: adb shell run-as aliasvault cat /data/data/aliasvault/xml/backup_rules.xml'}, {'type': 'paragraph', 'content': 'Additionally, attackers might use Google dorking techniques such as searching for inurl:shared_prefs/aliasvault.xml to identify exposed backup files on the internet.'}] [3, 4, 6]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation is to upgrade the AliasVault app to version 0.26.0 or later, which includes fixes that disable native backups and exclude sensitive files from backups.'}, {'type': 'paragraph', 'content': 'Specifically, the update disables Android backups by setting android:allowBackup="false" in the AndroidManifest.xml and disables iOS native backups for shared app data.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, as a temporary measure, disable backups for the app or manually exclude the sensitive files such as shared_prefs/aliasvault.xml from backups.'}, {'type': 'paragraph', 'content': 'Encrypt sensitive tokens and authentication data using secure storage mechanisms like Keystore-backed encryption or EncryptedSharedPreferences to prevent plaintext storage.'}, {'type': 'paragraph', 'content': 'Review and update backup rules to explicitly exclude sensitive preference files and consider disabling backup functionality entirely if it is not required.'}] [1, 4, 5, 7]