CVE-2026-32318
Integrity Check Bypass in Cryptomator iOS Enables MITM Attack
Publication date: 2026-03-20
Last updated on: 2026-03-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cryptomator | cryptomator | to 2.8.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-354 | The product does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission. |
| CWE-451 | The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks. |
| CWE-923 | The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint. |
| CWE-346 | The product does not properly verify that the source of data or communication is valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32318 is a high-severity vulnerability affecting Cryptomator iOS clients prior to version 2.8.3. It stems from an integrity check flaw in the vault configuration file (vault.cryptomator), which allows an attacker to tamper with this file. This tampering enables a man-in-the-middle (MITM) attack on the Hub API during the key loading process.
The root cause is that the client trusted endpoints specified in the vault configuration without verifying host authenticity. This flaw allows an attacker to mix a legitimate authentication endpoint with a malicious API endpoint, potentially leading to token exfiltration.
The vulnerability impacts users unlocking Hub-backed vaults in environments where an attacker can modify the vault configuration file. The issue was patched in version 2.8.3 by introducing a Trust-on-First-Contact (TOFU) host verification mechanism requiring explicit user approval to trust new hosts.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to perform a man-in-the-middle attack by tampering with the vault configuration file, leading to token exfiltration. This means an attacker could intercept or manipulate authentication tokens during the key loading process, potentially compromising access control.
However, due to Cryptomator Hubβs use of end-to-end encryption, the actual vault data confidentiality remains protected despite this vulnerability.
Users in environments where an attacker can alter the vault.cryptomator file are at risk, especially when unlocking Hub-backed vaults with affected client versions.
The vulnerability does not impact availability and has a low integrity impact but has a high confidentiality impact on tokens.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves tampering with the vault configuration file (vault.cryptomator) and a man-in-the-middle attack on the Hub API during key loading. Detection involves monitoring for unauthorized modifications to the vault.cryptomator file and suspicious network activity involving unexpected or untrusted Hub hosts.
Suggested detection approaches include:
- Check the integrity of the vault.cryptomator file by verifying its permissions and monitoring for unexpected changes.
- Monitor outbound network connections from the Cryptomator iOS client to ensure they are only made to trusted Hub hosts.
- Look for network traffic to unexpected or suspicious endpoints that differ from legitimate Cryptomator Hub endpoints.
Specific commands are not provided in the resources, but general commands that could help include:
- On a device or network monitoring system, use file integrity monitoring tools or commands (e.g., `ls -l` or `stat` on the vault.cryptomator file) to check for unauthorized changes.
- Use network monitoring commands or tools such as `netstat`, `tcpdump`, or Wireshark to capture and analyze network traffic from the Cryptomator client, focusing on connections to Hub hosts.
- Filter network traffic for unexpected domains or IP addresses that do not match known trusted Hub hosts.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, the following steps are recommended:
- Upgrade the Cryptomator iOS client to version 2.8.3 or later, which includes a patch implementing a Trust-on-First-Contact (TOFU) host verification mechanism.
- Restrict outbound network access from the Cryptomator client to only trusted Hub hosts to prevent communication with malicious endpoints.
- Protect the vault.cryptomator configuration file by enforcing strict file permissions and ensuring it is stored in trusted sync or storage paths to prevent unauthorized tampering.
- Use the new trusted hosts management UI (available in the patched version) to review and manage trusted Hub hosts explicitly.