Cryptomator for Android provides client-side encryption for cloud-stored files, ensuring data confidentiality across platforms. Prior to version 1.12.3, a critical vulnerability (CVE-2026-32317) existed due to improper origin validation (CWE-346) in the vault configuration file handling. Specifically, the client trusted endpoints defined in the vault.cryptomator file without verifying their authenticity or origin, allowing an attacker with the ability to modify this file to inject malicious API endpoints alongside legitimate authentication endpoints. This manipulation leads to a man-in-the-middle (MitM) scenario during the Hub key loading mechanism, where authentication tokens can be exfiltrated. The vulnerability requires low attack complexity (no special privileges beyond user-level, but user interaction is needed to unlock the vault) and network-level access to alter the vault file. The flaw impacts confidentiality severely by exposing sensitive tokens, while integrity is slightly affected due to tampering potential, and availability remains unaffected. The vulnerability is classified under multiple CWEs including origin validation error (CWE-346), improper authorization (CWE-354), exposure of sensitive information (CWE-451), and improper control of resource identifiers (CWE-923). The issue was publicly disclosed on March 20, 2026, with a CVSS v3.1 score of 7.6 (high severity). The vendor has addressed the vulnerability in Cryptomator Android version 1.12.3 by implementing proper host authenticity checks on endpoints specified in the vault configuration file, mitigating the risk of token theft and MitM attacks. No known exploits have been reported in the wild to date.

This vulnerability primarily threatens the confidentiality of user authentication tokens, which can be exfiltrated by attackers capable of modifying the vault configuration file. Such token theft could allow unauthorized access to encrypted vaults or associated cloud services, potentially exposing sensitive user data. The integrity of the vault configuration is also compromised, as attackers can inject malicious endpoints, undermining trust in the client’s communication channels. Although availability is not directly impacted, the breach of confidentiality could lead to broader security incidents, including unauthorized data access or lateral movement within organizational environments. Organizations relying on Cryptomator Android clients for secure cloud file encryption, especially in environments where vault files are stored on shared or less secure storage, face increased risk. Attackers with network or local access to alter vault files could exploit this vulnerability to intercept authentication tokens, facilitating further attacks or data breaches. The vulnerability’s exploitation complexity is moderate, requiring user interaction and the ability to tamper with vault files, but the impact on confidentiality is high, making it a significant risk for users and organizations prioritizing data privacy and security.

To mitigate this vulnerability, organizations and users should immediately update Cryptomator for Android to version 1.12.3 or later, where the issue is patched. Beyond patching, it is critical to enforce strict access controls on vault.cryptomator files to prevent unauthorized modification, including using secure storage solutions and applying file integrity monitoring. Network segmentation and endpoint security measures should be implemented to reduce the risk of attackers gaining the ability to alter vault files. Additionally, educating users about the risks of unlocking vaults in untrusted environments can reduce exposure. Organizations should also consider implementing multi-factor authentication (MFA) for cloud services integrated with Cryptomator to limit the impact of token theft. Regular audits of vault configuration files and monitoring for unusual authentication activity can help detect exploitation attempts early. Finally, developers should review and enhance origin validation and endpoint authentication mechanisms in client applications to prevent similar vulnerabilities.