Executive Summary

CVE-2026-29110 is a vulnerability in Cryptomator versions prior to 1.19.0 where cleartext file paths may be leaked into log files even when the application is running in non-debug mode.

This leakage happens only when a filesystem request fails, for example due to a damaged encrypted file or a non-existent file, causing the application to generate a log message that includes sensitive meta information about files stored inside a vault.

Not all cleartext paths are logged, only those related to failed filesystem requests, potentially exposing details while the vault is closed.

The vulnerability is classified under CWE-209, which involves generation of error messages containing sensitive information.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to the unintended disclosure of sensitive meta information about files stored inside a Cryptomator vault through log files.

An attacker with local access could potentially view these log files and gain information about file paths, which might reveal details about the contents or structure of the vault even when it is closed.

The impact on confidentiality is low, and there is no impact on integrity or availability.

The attack complexity is high, requires local access, low privileges, and user interaction.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by inspecting Cryptomator log files for cleartext file paths that appear when filesystem requests fail. These log files are generated when errors such as damaged encrypted files or non-existent files occur.'}, {'type': 'paragraph', 'content': 'To detect the vulnerability, you can search for suspicious cleartext paths in the log files located in the following directories depending on your operating system:'}, {'type': 'list_item', 'content': 'Windows: %LOCALAPPDATA%/Cryptomator'}, {'type': 'list_item', 'content': 'macOS: ~/Library/Logs/Cryptomator'}, {'type': 'list_item', 'content': 'Linux: ~/.local/share/Cryptomator/logs'}, {'type': 'paragraph', 'content': 'Example commands to search for cleartext paths in log files could include:'}, {'type': 'list_item', 'content': "On Linux/macOS: grep -iE 'path|file' ~/.local/share/Cryptomator/logs/*.log"}, {'type': 'list_item', 'content': 'On Windows (PowerShell): Select-String -Path "$env:LOCALAPPDATA\\Cryptomator\\*.log" -Pattern \'path\',\'file\''}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability is fixed in Cryptomator version 1.19.0. The immediate step to mitigate this issue is to upgrade Cryptomator to version 1.19.0 or later.

As a workaround before upgrading, you can delete existing application log files to remove any leaked cleartext paths. The log files to delete are located at:

• Windows: %LOCALAPPDATA%/Cryptomator
• macOS: ~/Library/Logs/Cryptomator
• Linux: ~/.local/share/Cryptomator/logs

Useful 0 Not Useful 0