CVE-2026-2974: Exposure of Backup File to an Unauthorized Control Sphere in AliasVault App
CVE-2026-2974 is a vulnerability in AliasVault App versions up to 0. 25. 3 on Android and iOS that exposes backup files containing API session tokens to unauthorized local attackers. The vulnerability arises from improper handling of sensitive tokens stored in the shared_prefs/aliasvault. xml backup file by the Backup Handler component. Exploitation requires local access and is considered highly complex, with no user interaction needed but requiring low privileges. Although the tokens cannot decrypt the vault without the master password due to zero-knowledge encryption, their exposure still poses a security risk. The vulnerability has a low CVSS score of 2. 0 and is resolved by upgrading to version 0. 26.
AI Analysis
Technical Summary
CVE-2026-2974 affects AliasVault App versions 0.25.0 through 0.25.3 on Android and iOS platforms. The vulnerability involves the Backup Handler component improperly exposing sensitive backup files, specifically the shared_prefs/aliasvault.xml file, which contains API session tokens such as accessToken, refreshToken, metadata, key_derivation_params, and auth_methods. These tokens are intended for API session management and, due to the app's zero-knowledge encryption design, cannot decrypt the vault without the master password. However, their presence in backup files accessible to unauthorized local actors creates an exposure risk. The attack vector requires local access with low privileges and is considered highly complex to exploit, with no user interaction required. The vulnerability does not directly compromise vault contents but may allow attackers to leverage exposed tokens for session-related attacks or reconnaissance. The exploit code is publicly available, increasing the risk of exploitation despite the complexity. The issue is fixed in AliasVault App version 0.26.0 by removing these tokens from backups. The CVSS 4.0 base score is 2.0, reflecting low severity due to limited impact and high attack complexity.
Potential Impact
The primary impact of this vulnerability is the unauthorized exposure of API session tokens stored in backup files, which could potentially be used by local attackers to gain limited session-related access or gather information about the victim's vault usage. Although the tokens alone cannot decrypt the vault without the master password, their compromise may facilitate further attacks such as session hijacking or targeted phishing. Organizations relying on AliasVault App for secure password management may face risks of partial credential exposure and reduced trust in backup confidentiality. The requirement for local access and high exploitation complexity limits the scope of impact, but insider threats or attackers with physical device access could exploit this vulnerability. The availability and integrity of the vault remain unaffected. Overall, the impact is low but non-negligible for environments with sensitive data and high security requirements.
Mitigation Recommendations
To mitigate this vulnerability, organizations and users should upgrade the AliasVault App to version 0.26.0 or later, where the issue is resolved by removing sensitive API tokens from backup files. Additionally, enforce strict device access controls such as strong lock screens, biometric authentication, and encryption to prevent unauthorized local access. Regularly audit backup files and storage locations to ensure sensitive data is not inadvertently exposed. Educate users about the risks of local device compromise and encourage minimizing physical access by untrusted parties. Implement monitoring for unusual session activity that could indicate token misuse. For organizations deploying AliasVault in managed environments, consider restricting backup creation or storage on shared or insecure media. Finally, maintain up-to-date software and security patches to reduce exposure to known vulnerabilities.
Affected Countries
United States, Germany, United Kingdom, Canada, Australia, France, Japan, South Korea, India, Brazil
CVE-2026-2974: Exposure of Backup File to an Unauthorized Control Sphere in AliasVault App
Description
CVE-2026-2974 is a vulnerability in AliasVault App versions up to 0. 25. 3 on Android and iOS that exposes backup files containing API session tokens to unauthorized local attackers. The vulnerability arises from improper handling of sensitive tokens stored in the shared_prefs/aliasvault. xml backup file by the Backup Handler component. Exploitation requires local access and is considered highly complex, with no user interaction needed but requiring low privileges. Although the tokens cannot decrypt the vault without the master password due to zero-knowledge encryption, their exposure still poses a security risk. The vulnerability has a low CVSS score of 2. 0 and is resolved by upgrading to version 0. 26.
AI-Powered Analysis
Technical Analysis
CVE-2026-2974 affects AliasVault App versions 0.25.0 through 0.25.3 on Android and iOS platforms. The vulnerability involves the Backup Handler component improperly exposing sensitive backup files, specifically the shared_prefs/aliasvault.xml file, which contains API session tokens such as accessToken, refreshToken, metadata, key_derivation_params, and auth_methods. These tokens are intended for API session management and, due to the app's zero-knowledge encryption design, cannot decrypt the vault without the master password. However, their presence in backup files accessible to unauthorized local actors creates an exposure risk. The attack vector requires local access with low privileges and is considered highly complex to exploit, with no user interaction required. The vulnerability does not directly compromise vault contents but may allow attackers to leverage exposed tokens for session-related attacks or reconnaissance. The exploit code is publicly available, increasing the risk of exploitation despite the complexity. The issue is fixed in AliasVault App version 0.26.0 by removing these tokens from backups. The CVSS 4.0 base score is 2.0, reflecting low severity due to limited impact and high attack complexity.
Potential Impact
The primary impact of this vulnerability is the unauthorized exposure of API session tokens stored in backup files, which could potentially be used by local attackers to gain limited session-related access or gather information about the victim's vault usage. Although the tokens alone cannot decrypt the vault without the master password, their compromise may facilitate further attacks such as session hijacking or targeted phishing. Organizations relying on AliasVault App for secure password management may face risks of partial credential exposure and reduced trust in backup confidentiality. The requirement for local access and high exploitation complexity limits the scope of impact, but insider threats or attackers with physical device access could exploit this vulnerability. The availability and integrity of the vault remain unaffected. Overall, the impact is low but non-negligible for environments with sensitive data and high security requirements.
Mitigation Recommendations
To mitigate this vulnerability, organizations and users should upgrade the AliasVault App to version 0.26.0 or later, where the issue is resolved by removing sensitive API tokens from backup files. Additionally, enforce strict device access controls such as strong lock screens, biometric authentication, and encryption to prevent unauthorized local access. Regularly audit backup files and storage locations to ensure sensitive data is not inadvertently exposed. Educate users about the risks of local device compromise and encourage minimizing physical access by untrusted parties. Implement monitoring for unusual session activity that could indicate token misuse. For organizations deploying AliasVault in managed environments, consider restricting backup creation or storage on shared or insecure media. Finally, maintain up-to-date software and security patches to reduce exposure to known vulnerabilities.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-02-22T14:47:26.948Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 699bed72be58cf853b3d54c5
Added to database: 2/23/2026, 6:02:26 AM
Last enriched: 2/23/2026, 6:16:26 AM
Last updated: 2/23/2026, 10:03:23 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-2983: Improper Access Controls in SourceCodester Student Result Management System
MediumCVE-2025-41002: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in MANANTIAL DE IDEAS, S.L. Infoticketing
CriticalCVE-2026-2981: Buffer Overflow in UTT HiPER 810G
HighCVE-2026-25747: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Camel
UnknownCVE-2026-23552: CWE-346 Origin Validation Error in Apache Software Foundation Apache Camel
UnknownActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.