Vulnerability in Cryptomator

CVE-2026-32309

Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.1, the Hub-based unlock flow explicitly supports hub+http and consumes Hub endpoints from vault metadata without enforcing HTTPS. As a result, a vault co…

EPSS: 0.000 (1.6th percentile) — read the EPSS interpretation.

Affected products

Cryptomator — versions < 1.19.1

Weakness classification (CWE)

CWE-319 — Cleartext Transmission of Sensitive Information

References

https://github.com/cryptomator/cryptomator/security/advisories/GHSA-vv33-h7qx-c264 (x_refsource_CONFIRM)
https://github.com/cryptomator/cryptomator/releases/tag/1.19.1 (x_refsource_MISC)