CVE-2026-22694

6.1 MEDIUM
Published: January 14, 2026 Modified: March 05, 2026
View on NVD

Description

AliasVault is a privacy-first password manager with built-in email aliasing. AliasVault Android versions 0.24.0 through 0.25.2 contained an issue in how passkey requests from Android apps were validated. Under certain local conditions, a malicious app could attempt to obtain a passkey response for a site it was not authorized to access. The issue involved incomplete validation of calling app identity, origin, and RP ID in the Android credential provider. This issue was fixed in AliasVault Android 0.25.3.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/aliasvault/aliasvault/commit/b3350473103d6138ab2b63ca130c211717eac67d
Source: security-advisories@github.com
Patch
https://github.com/aliasvault/aliasvault/issues/1440
Source: security-advisories@github.com
Patch Issue Tracking
https://github.com/aliasvault/aliasvault/pull/1441
Source: security-advisories@github.com
Issue Tracking Patch
https://github.com/aliasvault/aliasvault/releases/tag/0.25.3
Source: security-advisories@github.com
Product Release Notes
https://github.com/aliasvault/aliasvault/security/advisories/GHSA-mvg4-wvjv-332q
Source: security-advisories@github.com
Patch Vendor Advisory Mitigation

5 reference(s) from NVD

Quick Stats

CVSS v3 Score
6.1 / 10.0
EPSS (Exploit Probability)
0.0%
1th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-346

Affected Vendors

aliasvault

Related CVEs

CVE-2026-4595 2.4
CVE-2026-33723 7.1
CVE-2026-33719 8.6
CVE-2026-33717 8.8
CVE-2026-33716 9.4