CVE-2026-29110 - Vulnerability Details - OpenCVE

Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.0, in non-debug mode Cryptomator might leak cleartext paths into the log file. This can reveal meta information about the files stored inside a vault at a time, where the actual vault is closed. Not every cleartext path is logged. Only if a filesystem request fails for some reason (e.g. damaged encrypted file, not existing file), a log message is created. This issue has been patched in version 1.19.0.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

No data.

References

Link	Providers
https://github.com/cryptomator/cryptomator/security/advisories/GHSA-j83j-mwhc-rcgw

History

Fri, 06 Mar 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 06 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Description		Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.0, in non-debug mode Cryptomator might leak cleartext paths into the log file. This can reveal meta information about the files stored inside a vault at a time, where the actual vault is closed. Not every cleartext path is logged. Only if a filesystem request fails for some reason (e.g. damaged encrypted file, not existing file), a log message is created. This issue has been patched in version 1.19.0.
Title		Cryptomator: Leaking of cleartext paths into log file in non-debug mode
Weaknesses		CWE-209
References		https://github.com/cryptomator/cryptomator/security/advisories/GHSA-j83j-mwhc-rcgw
Metrics		cvssV3_1 `{'score': 2.2, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-06T17:53:53.948Z

Updated: 2026-03-06T18:33:33.603Z

Reserved: 2026-03-03T21:54:06.709Z

Link: CVE-2026-29110

Vulnrichment

Updated: 2026-03-06T18:33:29.906Z

NVD

Status : Received

Published: 2026-03-06T18:16:20.453

Modified: 2026-03-06T18:16:20.453

Link: CVE-2026-29110

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29110", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T21:54:06.709Z", "datePublished": "2026-03-06T17:53:53.948Z", "dateUpdated": "2026-03-06T18:33:33.603Z"}, "containers": {"cna": {"title": "Cryptomator: Leaking of cleartext paths into log file in non-debug mode", "problemTypes": [{"descriptions": [{"cweId": "CWE-209", "lang": "en", "description": "CWE-209: Generation of Error Message Containing Sensitive Information", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.2, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/cryptomator/cryptomator/security/advisories/GHSA-j83j-mwhc-rcgw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/cryptomator/cryptomator/security/advisories/GHSA-j83j-mwhc-rcgw"}], "affected": [{"vendor": "cryptomator", "product": "cryptomator", "versions": [{"version": "< 1.19.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T17:53:53.948Z"}, "descriptions": [{"lang": "en", "value": "Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.0, in non-debug mode Cryptomator might leak cleartext paths into the log file. This can reveal meta information about the files stored inside a vault at a time, where the actual vault is closed. Not every cleartext path is logged. Only if a filesystem request fails for some reason (e.g. damaged encrypted file, not existing file), a log message is created. This issue has been patched in version 1.19.0."}], "source": {"advisory": "GHSA-j83j-mwhc-rcgw", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T18:33:27.216732Z", "id": "CVE-2026-29110", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T18:33:33.603Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29110", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-06T18:33:27.216732Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T18:33:29.906Z"}}], "cna": {"title": "Cryptomator: Leaking of cleartext paths into log file in non-debug mode", "source": {"advisory": "GHSA-j83j-mwhc-rcgw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.2, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "cryptomator", "product": "cryptomator", "versions": [{"status": "affected", "version": "< 1.19.0"}]}], "references": [{"url": "https://github.com/cryptomator/cryptomator/security/advisories/GHSA-j83j-mwhc-rcgw", "name": "https://github.com/cryptomator/cryptomator/security/advisories/GHSA-j83j-mwhc-rcgw", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.0, in non-debug mode Cryptomator might leak cleartext paths into the log file. This can reveal meta information about the files stored inside a vault at a time, where the actual vault is closed. Not every cleartext path is logged. Only if a filesystem request fails for some reason (e.g. damaged encrypted file, not existing file), a log message is created. This issue has been patched in version 1.19.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-209", "description": "CWE-209: Generation of Error Message Containing Sensitive Information"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T17:53:53.948Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29110", "state": "PUBLISHED", "dateUpdated": "2026-03-06T18:33:33.603Z", "dateReserved": "2026-03-03T21:54:06.709Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T17:53:53.948Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}