CVE-2026-29110

EUVD-2026-10052

06.03.2026, 18:16

Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.0, in non-debug mode Cryptomator might leak cleartext paths into the log file. This can reveal meta information about the files stored inside a vault at a time, where the actual vault is closed. Not every cleartext path is logged. Only if a filesystem request fails for some reason (e.g. damaged encrypted file, not existing file), a log message is created. This issue has been patched in version 1.19.0.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	2.2 LOW	LOCAL	HIGH	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
cryptomator	cryptomator	𝑥 < 1.19.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-209 - Generation of Error Message Containing Sensitive Information
The software generates an error message that includes sensitive information about its environment, users, or associated data.

References

https://github.com/cryptomator/cryptomator/security/advisories/GHSA-j83j-mwhc-rcgw