CVE-2026-32318

Published: Mar 20, 2026 Last Modified: Mar 20, 2026
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 7,6
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: low
User Interaction: required
Scope: changed
Confidentiality: high
Integrity: low
Availability: none

Description

AI Translation Available

Cryptomator for IOS offers multi-platform transparent client-side encryption for files in the cloud. Prior to version 2.8.3, an integrity check vulnerability allows an attacker tamper with the vault configuration file leading to a man-in-the-middle vulnerability in Hub key loading mechanism. Before this fix, the client trusted endpoints from the vault config without host authenticity checks, which could allow token exfiltration by mixing a legitimate auth endpoint with a malicious API endpoint. Impacted are users unlocking Hub-backed vaults with affected client versions in environments where an attacker can alter the vault.cryptomator file. This issue has been patched in version 2.8.3.

346

Origin Validation Error

Draft
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Other Access Control
Potential Impacts:
Gain Privileges Or Assume Identity Varies By Context
Applicable Platforms
Technologies: Not Technology-Specific, Web Based
View CWE Details
354

Improper Validation of Integrity Check Value

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity Other Non-Repudiation
Potential Impacts:
Modify Application Data Other Hide Activities
Applicable Platforms
All platforms may be affected
Likelihood of Exploit: Medium
View CWE Details
451

User Interface (UI) Misrepresentation of Critical Information

Draft
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Non-Repudiation Access Control
Potential Impacts:
Hide Activities Bypass Protection Mechanism
Applicable Platforms
All platforms may be affected
View CWE Details
923

Improper Restriction of Communication Channel to Intended Endpoints

Incomplete
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity Confidentiality
Potential Impacts:
Gain Privileges Or Assume Identity
Applicable Platforms
Technologies: Not Technology-Specific, Web Based, Web Server
View CWE Details
https://github.com/cryptomator/ios/commit/98c31280304af65c0…
https://github.com/cryptomator/ios/commit/98c31280304af65c0932eb547d5fe4be2d169…
https://github.com/cryptomator/ios/pull/444
https://github.com/cryptomator/ios/pull/444
https://github.com/cryptomator/ios/releases/tag/2.8.3
https://github.com/cryptomator/ios/releases/tag/2.8.3
https://github.com/cryptomator/ios/security/advisories/GHSA…
https://github.com/cryptomator/ios/security/advisories/GHSA-g7fr-c82r-hm6j