CVE-2026-32317 PUBLISHED

Cryptomator for Android: Tampered vault configuration allows MITM attack on Hub API

Assigner: GitHub_M
Reserved: 11.03.2026 Published: 20.03.2026 Updated: 20.03.2026

Cryptomator for Android offers multi-platform transparent client-side encryption for files in the cloud. Prior to version 1.12.3, an integrity check vulnerability allows an attacker tamper with the vault configuration file leading to a man-in-the-middle vulnerability in Hub key loading mechanism. Before this fix, the client trusted endpoints from the vault config without host authenticity checks, which could allow token exfiltration by mixing a legitimate auth endpoint with a malicious API endpoint. Impacted are users unlocking Hub-backed vaults with affected client versions in environments where an attacker can alter the vault.cryptomator file. This issue has been patched in version 1.12.3.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
CVSS Score: 7.6

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	Low
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	cryptomator
Product	android
Versions	Version < 1.12.3 is affected

References

Problem Types

CWE-346: Origin Validation Error CWE
CWE-354: Improper Validation of Integrity Check Value CWE
CWE-451: User Interface (UI) Misrepresentation of Critical Information CWE
CWE-923: Improper Restriction of Communication Channel to Intended Endpoints CWE