CVE-2026-33472

Description

Cryptomator is an open-source client-side encryption application for cloud storage. Version 1.19.1 contains a logic flaw in CheckHostTrustController.getAuthority() that allows an attacker to bypass the security fix for CVE-2026-32303. The method hardcodes the URI scheme based on port number, causing HTTPS URLs with port 80 to produce the same authority string as HTTP URLs, which defeats both the consistency check and the HTTP block validation. An attacker with write access to a cloud-synced vault.cryptomator file can craft a Hub configuration where apiBaseUrl and authEndpoint use HTTPS with port 80 to pass auto-trust validation, while tokenEndpoint uses plaintext HTTP. The vault is auto-trusted without user prompt, and a network-positioned attacker can intercept the OAuth token exchange to access the Cryptomator Hub API as the victim. This issue has been fixed in version 1.19.2.

CVSS v3.1 Score

4.8

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

EPSS — Exploit Prediction

0.0001

Probability of exploitation

0.01%

Percentile rank

EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.

Weakness Type (CWE)

CWE-305 CWE-305

CWE-319 CWE-319

Affected Products

Vendor	Product	Versions
cryptomator	cryptomator	< 1.19.2

References

Advisories & Patches

https://github.com/cryptomator/cryptomator/pull/4179 https://github.com/cryptomator/cryptomator/security/advisories/GHSA-9q8x-whrw-x44p https://github.com/cryptomator/cryptomator/security/advisories/GHSA-9q8x-whrw-x44p

Exploits

https://github.com/cryptomator/cryptomator/security/advisories/GHSA-9q8x-whrw-x44p https://github.com/cryptomator/cryptomator/security/advisories/GHSA-9q8x-whrw-x44p

Other References

https://github.com/cryptomator/cryptomator/releases/tag/1.19.2

Frequently Asked Questions

What is CVE-2026-33472? +

Cryptomator is an open-source client-side encryption application for cloud storage. Version 1.19.1 contains a logic flaw in CheckHostTrustController.getAuthority() that allows an attacker to bypass the security fix for CVE-2026-32303. The method hardcodes the URI scheme based on port number, causing HTTPS URLs with port 80 to produce the same authority string as HTTP URLs, which defeats both the consistency check and the HTTP block validation. An attacker with write access to a cloud-synced vault.cryptomator file can craft a Hub configuration where apiBaseUrl and authEndpoint use HTTPS with port 80 to pass auto-trust validation, while tokenEndpoint uses plaintext HTTP. The vault is auto-trusted without user prompt, and a network-positioned attacker can intercept the OAuth token exchange to access the Cryptomator Hub API as the victim. This issue has been fixed in version 1.19.2. It has a CVSS v3.1 base score of 4.8 (MEDIUM).

How severe is CVE-2026-33472? +

CVE-2026-33472 has a CVSS v3.1 score of 4.8 out of 10, rated MEDIUM. This is a medium-severity vulnerability that should be remediated as part of regular maintenance. The EPSS score is 0.0001, placing it in the 0th percentile for exploitation probability.

What products are affected by CVE-2026-33472? +

CVE-2026-33472 affects products from cryptomator, specifically: cryptomator. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2026-33472? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2026-40582

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and …

CVE-2025-53534

RatPanel is a server operation and maintenance management panel. In versions 2.3.19 through 2.5.5, when an attacker obtains the backend …

CVE-2024-1403 10.0

In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an …

CVE-2025-24522 10.0

KUNBUS Revolution Pi OS Bookworm 01/2025 is vulnerable because authentication is not configured by default for the Node-RED server. This …

CVE-2024-36388 10.0

MileSight DeviceHub - CWE-305 Missing Authentication for Critical Function

CVE-2026-4670 9.8

Authentication bypass by primary weakness vulnerability in Progress Software MOVEit Automation allows Authentication Bypass. This issue affects MOVEit Automation: from …