CVE-2026-22694

EUVD-2026-2679

14.01.2026, 17:16

AliasVault is a privacy-first password manager with built-in email aliasing. AliasVault Android versions 0.24.0 through 0.25.2 contained an issue in how passkey requests from Android apps were validated. Under certain local conditions, a malicious app could attempt to obtain a passkey response for a site it was not authorized to access. The issue involved incomplete validation of calling app identity, origin, and RP ID in the Android credential provider. This issue was fixed in AliasVault Android 0.25.3.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.1 MEDIUM	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
GitHub_M	CNA	6.1 MEDIUM	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-346 - Origin Validation Error
The software does not properly verify that the source of data or communication is valid.

References

https://github.com/aliasvault/aliasvault/commit/b3350473103d6138ab2b63ca130c211717eac67d

https://github.com/aliasvault/aliasvault/issues/1440

https://github.com/aliasvault/aliasvault/pull/1441

https://github.com/aliasvault/aliasvault/releases/tag/0.25.3

https://github.com/aliasvault/aliasvault/security/advisories/GHSA-mvg4-wvjv-332q