6.1
CVE-2026-22694
- EPSS 0.11%
- Veröffentlicht 14.01.2026 16:32:36
- Zuletzt bearbeitet 05.03.2026 13:45:38
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginAliasVault is Missing Origin Validation in Android Passkey Credential Provider
AliasVault is a privacy-first password manager with built-in email aliasing. AliasVault Android versions 0.24.0 through 0.25.2 contained an issue in how passkey requests from Android apps were validated. Under certain local conditions, a malicious app could attempt to obtain a passkey response for a site it was not authorized to access. The issue involved incomplete validation of calling app identity, origin, and RP ID in the Android credential provider. This issue was fixed in AliasVault Android 0.25.3.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Aliasvault ≫ Aliasvault Version >= 0.24.0 < 0.25.3
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.11% | 0.016 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.1 | 1.8 | 4.2 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
|
| security-advisories@github.com | 6.1 | 1.8 | 4.2 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
|
CWE-346 Origin Validation Error
The product does not properly verify that the source of data or communication is valid.
https://github.com/aliasvault/aliasvault/security/advisories/GHSA-mvg4-wvjv-332q
https://github.com/aliasvault/aliasvault/issues/1440
https://github.com/aliasvault/aliasvault/pull/1441
https://github.com/aliasvault/aliasvault/commit/b3350473103d6138ab2b63ca130c211717eac67d
https://github.com/aliasvault/aliasvault/releases/tag/0.25.3