CVE-2026-2974 identifies a security vulnerability in the AliasVault App, specifically versions 0.25.0 through 0.25.3 on Android and iOS platforms. The vulnerability concerns the Backup Handler component, which manages the backup file located at shared_prefs/aliasvault.xml. This file contains sensitive API session tokens such as accessToken, refreshToken, metadata, key_derivation_params, and auth_methods. Due to improper handling or insufficient access control, these tokens can be exposed to an unauthorized local attacker who has access to the device. The attack vector is local, meaning the attacker must have physical or local access to the device, and the complexity of successfully exploiting this vulnerability is high. The tokens exposed do not directly allow decryption of the vault contents because AliasVault employs a zero-knowledge encryption model requiring the master password for decryption. However, the presence of these tokens in backups is unnecessary and could potentially aid an attacker in session hijacking or other indirect attacks. The vulnerability does not require user interaction and does not escalate privileges beyond local access. The vendor has addressed this issue in version 0.26.0 by removing sensitive tokens from backups. The CVSS 4.0 base score is 2.0, reflecting low severity due to limited impact and high exploitation complexity. No known exploits are currently active in the wild, but a public exploit exists. Users are advised to upgrade to the patched version to eliminate the risk.

The primary impact of CVE-2026-2974 is the potential exposure of API session tokens stored in backup files to unauthorized local attackers. While these tokens alone cannot decrypt the vault due to the zero-knowledge encryption design requiring the master password, their exposure could facilitate session hijacking or unauthorized API access if combined with other vulnerabilities or social engineering attacks. This could lead to partial compromise of user sessions or metadata leakage. The vulnerability requires local access and is difficult to exploit, limiting its scope primarily to scenarios where an attacker gains physical or local control of the device. For organizations, this vulnerability poses a low risk to confidentiality and integrity but could undermine user trust and security posture if exploited. The availability of a public exploit increases the importance of timely patching despite the low severity. Overall, the impact is limited but non-negligible, especially in high-security environments or where devices are shared or at risk of local compromise.

To mitigate CVE-2026-2974, organizations and users should upgrade the AliasVault App to version 0.26.0 or later, where the vulnerability has been patched by removing sensitive tokens from backup files. Additionally, enforcing strong device access controls such as biometric locks, PINs, or passwords reduces the risk of local attackers gaining access. Regularly auditing backup files and storage locations for sensitive data exposure can help detect similar issues proactively. Employing endpoint security solutions that monitor for unauthorized local access or file manipulations can further reduce risk. Educating users on the risks of physical device compromise and encouraging secure handling of mobile devices is also critical. For organizations deploying AliasVault in managed environments, consider restricting local backup creation or encrypting backups with keys separate from the app’s tokens. Finally, monitor for updates from the vendor and apply patches promptly to maintain security.