Vulnerability Description
Cryptomator encrypts data being stored on cloud infrastructure. From version 1.6.0 to before version 1.19.1, vault configuration is parsed before its integrity is verified, and the masterkeyfile loader uses the unverified keyId as a filesystem path. The loader resolves keyId.getSchemeSpecificPart() directly against the vault path and immediately calls Files.exists(...). This allows a malicious vault config to supply parent-directory escapes, absolute local paths, or UNC paths (e.g., masterkeyfile://attacker/share/masterkey.cryptomator). On Windows, the UNC variant is especially dangerous because Path.resolve("//attacker/share/...") becomes \\attacker\share\..., so the existence check can trigger outbound SMB access before the user even enters a passphrase. This issue has been patched in version 1.19.1.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cryptomator | Cryptomator | >= 1.6.0, <= 1.19.0 |
| Microsoft | Windows | All versions |
Related Weaknesses (CWE)
References
- https://github.com/cryptomator/cryptomator/commit/1e3dfe3de1623b1b85d24db91e49d3Patch
- https://github.com/cryptomator/cryptomator/pull/4180Issue Tracking
- https://github.com/cryptomator/cryptomator/releases/tag/1.19.1Release Notes
- https://github.com/cryptomator/cryptomator/security/advisories/GHSA-5phc-5pfx-hrVendor AdvisoryMitigation
FAQ
What is CVE-2026-32310?
CVE-2026-32310 is a vulnerability with a CVSS score of 4.1 (MEDIUM). Cryptomator encrypts data being stored on cloud infrastructure. From version 1.6.0 to before version 1.19.1, vault configuration is parsed before its integrity is verified, and the masterkeyfile loade...
How severe is CVE-2026-32310?
CVE-2026-32310 has been rated MEDIUM with a CVSS base score of 4.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32310?
Check the references section above for vendor advisories and patch information. Affected products include: Cryptomator Cryptomator, Microsoft Windows.