CVE-2026-32310

EPSS 0.25%
Veröffentlicht 20.03.2026 18:19:30
Zuletzt bearbeitet 25.03.2026 20:45:24
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Cryptomator: Unverified masterkeyfile key IDs can access arbitrary local or UNC paths

Cryptomator encrypts data being stored on cloud infrastructure. From version 1.6.0 to before version 1.19.1, vault configuration is parsed before its integrity is verified, and the masterkeyfile loader uses the unverified keyId as a filesystem path. The loader resolves keyId.getSchemeSpecificPart() directly against the vault path and immediately calls Files.exists(...). This allows a malicious vault config to supply parent-directory escapes, absolute local paths, or UNC paths (e.g., masterkeyfile://attacker/share/masterkey.cryptomator). On Windows, the UNC variant is especially dangerous because Path.resolve("//attacker/share/...") becomes \\attacker\share\..., so the existence check can trigger outbound SMB access before the user even enters a passphrase. This issue has been patched in version 1.19.1.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cryptomator ≫ Cryptomator Version >= 1.6.0 <= 1.19.0

Microsoft ≫ Windows

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.25%	0.159

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
security-advisories@github.com	4.1	2.3	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://github.com/cryptomator/cryptomator/releases/tag/1.19.1

Release Notes

https://github.com/cryptomator/cryptomator/security/advisories/GHSA-5phc-5pfx-hr52

Vendor Advisory

Mitigation

https://github.com/cryptomator/cryptomator/pull/4180

Issue Tracking

https://github.com/cryptomator/cryptomator/commit/1e3dfe3de1623b1b85d24db91e49d31d1ea11f40

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-32310

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-32310

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-32310

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-32310