CVE-2026-22694 Overview
CVE-2026-22694 is an Origin Validation Error (CWE-346) vulnerability in AliasVault, a privacy-first password manager with built-in email aliasing. The vulnerability exists in AliasVault Android versions 0.24.0 through 0.25.2 and involves improper validation of passkey requests from Android apps. Under certain local conditions, a malicious application installed on the same device could attempt to obtain a passkey response for a website it was not authorized to access.
The core issue stems from incomplete validation of calling app identity, origin, and RP ID (Relying Party Identifier) within the Android credential provider implementation. This flaw undermines the security guarantees that passkey authentication is designed to provide.
Critical Impact
A malicious Android app running locally could potentially bypass passkey authentication controls and obtain credentials for unauthorized websites, compromising user account security.
Affected Products
- AliasVault Android version 0.24.0
- AliasVault Android versions between 0.24.0 and 0.25.2
- AliasVault Android version 0.25.2
Discovery Timeline
- 2026-01-14 - CVE-2026-22694 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2026-22694
Vulnerability Analysis
This vulnerability affects the passkey validation mechanism in the AliasVault Android credential provider. The Android Credential Manager API allows password managers to serve as credential providers for both traditional passwords and modern passkey (WebAuthn) credentials. When an app requests a passkey, the credential provider must properly validate that the requesting app is legitimately associated with the website (Relying Party) it claims to represent.
The vulnerability occurs because the AliasVault credential provider did not completely validate three critical components during passkey requests: the calling app's identity (package signature), the origin claim, and the RP ID. This incomplete validation creates a window where a malicious app could craft requests that bypass proper authorization checks.
The attack requires local access, meaning an attacker would need to have a malicious app installed on the victim's device. With user interaction (such as the user attempting to use passkeys), the malicious app could potentially intercept or request passkey assertions for websites it should not have access to.
Root Cause
The root cause is classified as CWE-346: Origin Validation Error. The Android credential provider implementation failed to comprehensively validate the identity chain connecting a requesting app to its claimed website association. Proper passkey validation requires verifying:
- The calling app's package name and signature
- The origin claim matches the app's verified domain associations
- The RP ID corresponds to a legitimate relying party the app is authorized to access
The incomplete validation of these elements allowed potential bypass of the passkey security model.
Attack Vector
The attack vector is local, requiring a malicious application to be installed on the target Android device. The attack scenario involves:
- An attacker distributes a malicious Android app that gets installed on the victim's device
- The malicious app registers as a potential recipient of credential requests or crafts fraudulent passkey requests
- When the user interacts with passkey authentication, the malicious app exploits the validation gap
- The app could potentially obtain passkey responses for websites it should not have access to
This attack requires user interaction (the user must be performing passkey operations) and local presence on the device. The vulnerability could lead to unauthorized access to user accounts protected by passkeys stored in AliasVault.
Detection Methods for CVE-2026-22694
Indicators of Compromise
- Unusual passkey authentication attempts from apps that don't typically use WebAuthn credentials
- Multiple passkey requests originating from apps with mismatched package signatures or unverified domain associations
- Logs showing credential provider interactions with apps that lack proper assetlinks.json associations
Detection Strategies
- Monitor Android system logs for credential provider interactions and validate requesting app signatures
- Review installed applications for suspicious apps that may be attempting to access credential provider APIs
- Audit AliasVault app version to confirm whether vulnerable versions (0.24.0 - 0.25.2) are in use
Monitoring Recommendations
- Enable verbose logging for the AliasVault Android app to capture credential provider requests
- Implement enterprise mobile device management (MDM) policies to detect and alert on vulnerable app versions
- Review Android system audit logs for abnormal credential manager API usage patterns
How to Mitigate CVE-2026-22694
Immediate Actions Required
- Update AliasVault Android to version 0.25.3 or later immediately
- Review account activity for any services where passkeys were used during the vulnerable period
- Consider rotating or re-enrolling passkeys for sensitive accounts as a precautionary measure
- Audit installed applications and remove any suspicious or untrusted apps from the device
Patch Information
AliasVault has released version 0.25.3 which addresses this vulnerability by implementing complete validation of calling app identity, origin, and RP ID in the Android credential provider. The fix is available through the following resources:
- GitHub Release Version 0.25.3 - Official release with the security fix
- GitHub Commit Update - Commit b3350473103d6138ab2b63ca130c211717eac67d containing the fix
- GitHub Security Advisory GHSA-mvg4-wvjv-332q - Official security advisory with full details
Workarounds
- If immediate update is not possible, temporarily disable the credential provider functionality in AliasVault Android settings
- Avoid using passkey authentication until the app is updated to version 0.25.3 or later
- Use alternative authentication methods (traditional passwords with 2FA) for sensitive accounts until patched
- Ensure no untrusted applications are installed on the device to reduce local attack surface
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
