CVE-2026-33472
Received Received - Intake
Logic Flaw in Cryptomator Allows OAuth Token Interception

Publication date: 2026-04-16

Last updated on: 2026-04-22

Assigner: GitHub, Inc.

Description
Cryptomator is an open-source client-side encryption application for cloud storage. Version 1.19.1 contains a logic flaw in CheckHostTrustController.getAuthority() that allows an attacker to bypass the security fix for CVE-2026-32303. The method hardcodes the URI scheme based on port number, causing HTTPS URLs with port 80 to produce the same authority string as HTTP URLs, which defeats both the consistency check and the HTTP block validation. An attacker with write access to a cloud-synced vault.cryptomator file can craft a Hub configuration where apiBaseUrl and authEndpoint use HTTPS with port 80 to pass auto-trust validation, while tokenEndpoint uses plaintext HTTP. The vault is auto-trusted without user prompt, and a network-positioned attacker can intercept the OAuth token exchange to access the Cryptomator Hub API as the victim. This issue has been fixed in version 1.19.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-16
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-17
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33472
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cryptomator cryptomator to 1.19.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-305 The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.
CWE-319 The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Cryptomator version 1.19.1 due to a logic flaw in the CheckHostTrustController.getAuthority() method. The method incorrectly hardcodes the URI scheme based on the port number, causing HTTPS URLs using port 80 to be treated the same as HTTP URLs. This flaw allows an attacker with write access to a cloud-synced vault.cryptomator file to craft a configuration that bypasses security checks, leading to the vault being auto-trusted without user confirmation.

Specifically, an attacker can set apiBaseUrl and authEndpoint to use HTTPS on port 80 to pass validation, while the tokenEndpoint uses plaintext HTTP. This enables a network-positioned attacker to intercept the OAuth token exchange and gain unauthorized access to the Cryptomator Hub API as the victim.

This issue was fixed in version 1.19.2.

Impact Analysis

If exploited, this vulnerability can allow an attacker to bypass security checks and gain unauthorized access to your Cryptomator Hub API by intercepting OAuth token exchanges.

This means that an attacker with write access to your cloud-synced vault configuration file and positioned on the network can impersonate you and potentially access sensitive encrypted data or perform actions on your behalf within the Cryptomator environment.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Cryptomator to version 1.19.2 or later, where the issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33472. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart