CVE-2026-32310

{"id": "CVE-2026-32310", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2026-03-20T19:16:15.907", "references": [{"url": "https://github.com/cryptomator/cryptomator/commit/1e3dfe3de1623b1b85d24db91e49d31d1ea11f40", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/cryptomator/cryptomator/pull/4180", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://github.com/cryptomator/cryptomator/releases/tag/1.19.1", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/cryptomator/cryptomator/security/advisories/GHSA-5phc-5pfx-hr52", "tags": ["Vendor Advisory", "Mitigation"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Cryptomator encrypts data being stored on cloud infrastructure. From version 1.6.0 to before version 1.19.1, vault configuration is parsed before its integrity is verified, and the masterkeyfile loader uses the unverified keyId as a filesystem path. The loader resolves keyId.getSchemeSpecificPart() directly against the vault path and immediately calls Files.exists(...). This allows a malicious vault config to supply parent-directory escapes, absolute local paths, or UNC paths (e.g., masterkeyfile://attacker/share/masterkey.cryptomator). On Windows, the UNC variant is especially dangerous because Path.resolve(\"//attacker/share/...\") becomes \\\\attacker\\share\\..., so the existence check can trigger outbound SMB access before the user even enters a passphrase. This issue has been patched in version 1.19.1."}, {"lang": "es", "value": "Cryptomator cifra datos almacenados en infraestructura en la nube. Desde la versi\u00f3n 1.6.0 hasta antes de la versi\u00f3n 1.19.1, la configuraci\u00f3n de la b\u00f3veda se analiza antes de que se verifique su integridad, y el cargador de masterkeyfile utiliza el keyId no verificado como una ruta del sistema de archivos. El cargador resuelve keyId.getSchemeSpecificPart() directamente contra la ruta de la b\u00f3veda e inmediatamente llama a Files.exists(...). Esto permite a una configuraci\u00f3n de b\u00f3veda maliciosa proporcionar escapes de directorio padre, rutas locales absolutas o rutas UNC (p. ej., masterkeyfile://atacante/share/masterkey.cryptomator). En Windows, la variante UNC es especialmente peligrosa porque Path.resolve(\"//atacante/share/...\") se convierte en \\\\atacante\\share\\..., por lo que la verificaci\u00f3n de existencia puede activar el acceso SMB saliente antes de que el usuario siquiera introduzca una frase de contrase\u00f1a. Este problema ha sido parcheado en la versi\u00f3n 1.19.1."}], "lastModified": "2026-03-25T20:45:24.640", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cryptomator:cryptomator:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F58B7CCD-1796-4352-BBD5-0872CFAF41B5", "versionEndIncluding": "1.19.0", "versionStartIncluding": "1.6.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "2CF61F35-5905-4BA9-AD7E-7DB261D2F256"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "security-advisories@github.com"}