CVE-2026-33472 Overview
CVE-2026-33472 is an authentication bypass vulnerability in Cryptomator, an open-source client-side encryption application for cloud storage. Version 1.19.1 contains a logic flaw in CheckHostTrustController.getAuthority() that allows an attacker to bypass the security fix for CVE-2026-32303. The method hardcodes the URI scheme based on port number, causing HTTPS URLs with port 80 to produce the same authority string as HTTP URLs, which defeats both the consistency check and the HTTP block validation.
An attacker with write access to a cloud-synced vault.cryptomator file can craft a Hub configuration where apiBaseUrl and authEndpoint use HTTPS with port 80 to pass auto-trust validation, while tokenEndpoint uses plaintext HTTP. The vault is auto-trusted without user prompt, and a network-positioned attacker can intercept the OAuth token exchange to access the Cryptomator Hub API as the victim.
Critical Impact
Network-positioned attackers can intercept OAuth tokens and impersonate victims on the Cryptomator Hub API by exploiting the URI scheme logic flaw in trust validation.
Affected Products
- Cryptomator version 1.19.1
- Cryptomator versions prior to 1.19.2
Discovery Timeline
- 2026-04-16 - CVE CVE-2026-33472 published to NVD
- 2026-04-16 - Last updated in NVD database
Technical Details for CVE-2026-33472
Vulnerability Analysis
This vulnerability is classified under CWE-305 (Authentication Bypass by Primary Weakness), representing a fundamental flaw in how Cryptomator validates trusted hosts during the OAuth authentication flow. The issue arises from an incorrect assumption in the CheckHostTrustController.getAuthority() method, where the URI scheme (HTTP vs HTTPS) is determined solely based on the port number rather than the actual protocol specified in the URL.
When processing URLs, the method assumes that port 80 always indicates HTTP and port 443 always indicates HTTPS. This creates a scenario where an HTTPS URL explicitly using port 80 (e.g., https://malicious-server.com:80/) is incorrectly treated as HTTP for authority string generation purposes. This bypass defeats the security measures implemented in response to CVE-2026-32303.
Root Cause
The root cause is a hardcoded port-to-scheme mapping in the getAuthority() method that does not account for non-standard port configurations. The method prioritizes port number over the actual URI scheme, creating an inconsistency between how URLs are validated during trust checks versus how they are processed during actual OAuth token exchange operations. This logic flaw allows mixed-protocol configurations to pass validation when they should be rejected.
Attack Vector
The attack requires an adversary with write access to a cloud-synced vault.cryptomator file. The attacker crafts a malicious Hub configuration with carefully chosen URLs:
- The attacker sets apiBaseUrl and authEndpoint to use HTTPS URLs with port 80 (e.g., https://hub.example.com:80/api)
- The attacker sets tokenEndpoint to use plaintext HTTP
- When the victim opens the vault, the auto-trust validation passes because all endpoints produce identical authority strings
- The HTTP block validation is also bypassed due to the scheme confusion
- During OAuth token exchange, the tokenEndpoint communicates over unencrypted HTTP
- A network-positioned attacker (man-in-the-middle) intercepts the OAuth token
- The attacker uses the stolen token to access the Cryptomator Hub API as the victim
The vulnerability is exploitable without user interaction beyond opening a compromised vault file, though it requires the attacker to have both write access to the vault configuration and network positioning for token interception.
Detection Methods for CVE-2026-33472
Indicators of Compromise
- Unexpected modifications to vault.cryptomator files in cloud-synced directories
- Hub configuration URLs using HTTPS with non-standard port 80
- OAuth token exchange traffic occurring over plaintext HTTP
- Discrepancies between configured endpoint schemes and actual network traffic protocols
Detection Strategies
- Monitor for modifications to vault.cryptomator files, particularly changes to apiBaseUrl, authEndpoint, and tokenEndpoint fields
- Implement network traffic analysis to detect OAuth token exchanges occurring over unencrypted HTTP connections
- Review cloud storage audit logs for unauthorized modifications to Cryptomator vault configuration files
- Deploy endpoint detection rules to alert on Cryptomator processes making HTTP connections to authentication endpoints
Monitoring Recommendations
- Enable file integrity monitoring on directories containing Cryptomator vault files
- Configure network security tools to flag HTTP traffic containing OAuth tokens or authorization codes
- Implement alerting for Cryptomator Hub API access from unusual IP addresses or geolocations
- Monitor for patterns indicating man-in-the-middle positioning on network segments used by Cryptomator clients
How to Mitigate CVE-2026-33472
Immediate Actions Required
- Upgrade Cryptomator to version 1.19.2 or later immediately
- Review all vault.cryptomator files for suspicious Hub configurations, particularly endpoints using non-standard port configurations
- Revoke and regenerate any OAuth tokens that may have been compromised
- Audit cloud storage access logs for unauthorized modifications to vault configuration files
Patch Information
This vulnerability has been fixed in Cryptomator version 1.19.2. The fix addresses the logic flaw in CheckHostTrustController.getAuthority() to properly validate URI schemes independently of port numbers. Users should upgrade immediately by downloading the latest release from the official GitHub Release page. Additional technical details about the fix are available in Pull Request #4179 and the GitHub Security Advisory GHSA-9q8x-whrw-x44p.
Workarounds
- Manually verify that all Hub configuration endpoints in vault.cryptomator files use consistent HTTPS URLs with standard ports before opening vaults
- Avoid using cloud-synced vaults in untrusted network environments until the patch is applied
- Implement strict access controls on cloud storage to prevent unauthorized modification of vault configuration files
- Use network-level protections (VPN, secure DNS) to reduce man-in-the-middle attack opportunities
# Verify Cryptomator version is patched
cryptomator --version
# Expected output: 1.19.2 or higher
# Inspect vault configuration for suspicious endpoints (Linux/macOS)
cat /path/to/vault.cryptomator | grep -E "(apiBaseUrl|authEndpoint|tokenEndpoint)"
# Ensure all endpoints use HTTPS with standard ports (443 or omitted)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
