{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77374?format=json","vulnerability_id":"VCID-vces-83pw-rffd","summary":"Cryptomator for IOS offers multi-platform transparent client-side encryption for files in the cloud. Prior to version 2.8.3, an integrity check vulnerability allows an attacker tamper with the vault configuration file leading to a man-in-the-middle vulnerability in Hub key loading mechanism. Before this fix, the client trusted endpoints from the vault config without host authenticity checks, which could allow token exfiltration by mixing a legitimate auth endpoint with a malicious API endpoint. Impacted are users unlocking Hub-backed vaults with affected client versions in environments where an attacker can alter the vault.cryptomator file. This issue has been patched in version 2.8.3.","aliases":[{"alias":"CVE-2026-32318"}],"fixed_packages":[],"affected_packages":[],"references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32318","reference_id":"","reference_type":"","scores":[{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03997","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.04009","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03992","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32318"},{"reference_url":"https://github.com/cryptomator/ios/releases/tag/2.8.3","reference_id":"2.8.3","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T19:20:21Z/"}],"url":"https://github.com/cryptomator/ios/releases/tag/2.8.3"},{"reference_url":"https://github.com/cryptomator/ios/pull/444","reference_id":"444","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T19:20:21Z/"}],"url":"https://github.com/cryptomator/ios/pull/444"},{"reference_url":"https://github.com/cryptomator/ios/commit/98c31280304af65c0932eb547d5fe4be2d16929c","reference_id":"98c31280304af65c0932eb547d5fe4be2d16929c","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T19:20:21Z/"}],"url":"https://github.com/cryptomator/ios/commit/98c31280304af65c0932eb547d5fe4be2d16929c"},{"reference_url":"https://github.com/cryptomator/ios/security/advisories/GHSA-g7fr-c82r-hm6j","reference_id":"GHSA-g7fr-c82r-hm6j","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T19:20:21Z/"}],"url":"https://github.com/cryptomator/ios/security/advisories/GHSA-g7fr-c82r-hm6j"}],"weaknesses":[{"cwe_id":346,"name":"Origin Validation Error","description":"The product does not properly verify that the source of data or communication is valid."},{"cwe_id":354,"name":"Improper Validation of Integrity Check Value","description":"The product does not validate or incorrectly validates the integrity check values or checksums of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission."},{"cwe_id":451,"name":"User Interface (UI) Misrepresentation of Critical Information","description":"The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks."},{"cwe_id":923,"name":"Improper Restriction of Communication Channel to Intended Endpoints","description":"The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint."}],"exploits":[],"severity_range_score":"7.6 - 7.6","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vces-83pw-rffd"}