Cryptomator Hub OAuth Token Exchange HTTP Downgrade Bypass Exposed (CVE-2026-32303)

A critical logic flaw in Cryptomator Hub's OAuth flow allows attackers to bypass a previous security fix and force a downgrade to plaintext HTTP, exposing user access tokens. The vulnerability, tracked as CVE-2026-33472, resides in the `CheckHostTrustController.getAuthority()` method of version 1.19.1. This method incorrectly hardcodes the URI scheme based on port number, causing HTTPS URLs using port 80 to generate the same authority string as standard HTTP URLs. This fundamental confusion defeats both the consistency check and the HTTP block validation implemented to patch the earlier CVE-2026-32303.

An attacker with write access to a cloud-synced `vault.cryptomator` file can exploit this flaw by crafting a malicious Hub configuration. They can set the `apiBaseUrl` and `authEndpoint` to use HTTPS on port 80, which passes the auto-trust validation checks. Meanwhile, the `tokenEndpoint` can be set to use plaintext HTTP. This configuration mismatch is not detected, causing the vault to be auto-trusted without any user prompt or warning.

The consequence is a classic man-in-the-middle attack vector. A network-positioned attacker can intercept the OAuth token exchange, which is now conducted over an unencrypted HTTP connection. Successful interception grants the attacker the user's OAuth token, providing unauthorized access to the Cryptomator vault and the encrypted data within. This flaw represents a severe regression in security, undermining the client-side encryption promise by exposing the authentication handshake.