CVE-2026-22694
Last modified
CVE-2026-22694 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. AliasVault is a privacy-first password manager with built-in email aliasing. AliasVault Android versions 0.24.0 through 0.25.2 contained an issue in how passkey requests from Android apps were validated. EPSS estimates a 0.11% chance of exploitation in the next 30 days.
Description
AliasVault is a privacy-first password manager with built-in email aliasing. AliasVault Android versions 0.24.0 through 0.25.2 contained an issue in how passkey requests from Android apps were validated. Under certain local conditions, a malicious app could attempt to obtain a passkey response for a site it was not authorized to access. The issue involved incomplete validation of calling app identity, origin, and RP ID in the Android credential provider. This issue was fixed in AliasVault Android 0.25.3.
Metrics
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Aliasvault | Aliasvault | >= 0.24.0, < 0.25.3 |
References
- https://github.com/aliasvault/aliasvault/issues/1440Issue Tracking, Patch
- https://github.com/aliasvault/aliasvault/pull/1441Issue Tracking, Patch
- https://github.com/aliasvault/aliasvault/releases/tag/0.25.3Product, Release Notes
- https://github.com/aliasvault/aliasvault/security/advisories/GHSA-mvg4-wvjv-332qMitigation, Patch, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-22694?
How severe is CVE-2026-22694?
How do I fix CVE-2026-22694?
Are you affected by CVE-2026-22694?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST