CVE-2026-32309
Insecure HTTP Endpoint Allows Token Interception in Cryptomator
Publication date: 2026-03-20
Last updated on: 2026-03-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cryptomator | cryptomator | to 1.19.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-319 | The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-32309 is a security vulnerability in Cryptomator versions up to 1.19.0 related to the Hub-based unlock flow accepting plaintext HTTP and unvalidated endpoint schemes.'}, {'type': 'paragraph', 'content': 'The system supports both "hub+http" and "hub+https" URI schemes and consumes Hub endpoint URLs (authEndpoint, tokenEndpoint, apiBaseUrl) directly from vault metadata without enforcing HTTPS or validating the scheme.'}, {'type': 'paragraph', 'content': 'This allows a vault configuration to direct OAuth authorization, token exchange, device registration data, encrypted user keys, and vault access tokens over insecure plaintext HTTP connections.'}, {'type': 'paragraph', 'content': 'An attacker controlling the network or endpoints can observe or tamper with this sensitive traffic, including bearer tokens and key-delivery requests.'}, {'type': 'paragraph', 'content': 'The client does not enforce HTTPS or verify that all Hub endpoints belong to the same trusted origin, leaving transport security dependent on untrusted vault metadata.'}, {'type': 'paragraph', 'content': 'This enables downgrade attacks, interception, and redirection to attacker-controlled endpoints without user prompts or transport policy checks.'}, {'type': 'paragraph', 'content': 'The root cause is the lack of enforced HTTPS and origin consistency checks for Hub endpoints.'}, {'type': 'paragraph', 'content': 'The issue was patched in Cryptomator version 1.19.1 by removing support for "hub+http" in production builds and rejecting any non-HTTPS values for critical endpoints.'}] [1]
How can this vulnerability impact me? :
This vulnerability can allow an active network attacker to observe or tamper with sensitive data transmitted during the unlock process of Cryptomator vaults.
Specifically, bearer tokens, OAuth authorization data, device registration information, encrypted user keys, and vault access tokens can be exposed over insecure plaintext HTTP connections.
Such exposure can lead to interception, downgrade attacks, and redirection to attacker-controlled endpoints without user awareness.
Even though the vault key itself is encrypted for the device, the exposure of bearer tokens and endpoint-level trust decisions can compromise the security of the vault access.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring network traffic for OAuth and key-loading communications that occur over plaintext HTTP instead of HTTPS. Specifically, look for traffic involving Hub endpoints such as authEndpoint, tokenEndpoint, and apiBaseUrl being transmitted without encryption.'}, {'type': 'paragraph', 'content': 'Commands to detect this may include using network packet capture tools like tcpdump or Wireshark to filter HTTP traffic to or from Cryptomator vault endpoints. For example:'}, {'type': 'list_item', 'content': "tcpdump -i <interface> -A 'tcp port 80 and (host <vault_endpoint_IP_or_hostname>)'"}, {'type': 'list_item', 'content': 'wireshark filter: http && (ip.addr == <vault_endpoint_IP>)'}, {'type': 'paragraph', 'content': 'Additionally, inspecting the vault metadata configuration files for any Hub endpoint URLs using the "hub+http" scheme or non-HTTPS URLs can help identify vulnerable configurations.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'To mitigate this vulnerability immediately, upgrade Cryptomator to version 1.19.1 or later, where the issue has been patched.'}, {'type': 'paragraph', 'content': 'If upgrading is not immediately possible, ensure that all Hub endpoint URLs (authEndpoint, tokenEndpoint, apiBaseUrl) in vault metadata enforce HTTPS and reject any non-HTTPS or "hub+http" schemes.'}, {'type': 'paragraph', 'content': 'Restrict any legacy HTTP support to developer-only environments with strong user warnings, and validate that all Hub endpoints belong to the same trusted origin to prevent downgrade and interception attacks.'}] [1]