Login Sign Up

CVE-2026-22694

6.1 MEDIUM
Authentication Bypass

📋 TL;DR

This vulnerability in AliasVault Android app allows a malicious local app to potentially obtain passkey responses for websites it shouldn't have access to. The issue stems from incomplete validation of app identity, origin, and RP ID in the credential provider. Only Android users running AliasVault versions 0.24.0 through 0.25.2 are affected.

💻 Affected Systems

Products:
  • AliasVault Android
Versions: 0.24.0 through 0.25.2
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Android version of AliasVault. Requires malicious app to be installed on same device.

📦 What is this software?

Aliasvault by Aliasvault

View all CVEs affecting Aliasvault →

⚠️ Risk & Real-World Impact

🔴

Worst Case

A malicious app could steal passkey credentials for sensitive websites, potentially leading to account compromise and identity theft.

🟠

Likely Case

Local malicious app could access passkeys for some websites, but requires specific conditions and user interaction patterns.

🟢

If Mitigated

With proper app isolation and user awareness, impact is limited to potential exposure of non-critical passkeys.

🌐 Internet-Facing: LOW - This is a local Android app vulnerability, not directly internet-facing.
🏢 Internal Only: MEDIUM - Requires local malicious app installation, but could affect corporate devices with sensitive credentials.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local malicious app installation and specific conditions. No public exploit code available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.25.3

Vendor Advisory: https://github.com/aliasvault/aliasvault/security/advisories/GHSA-mvg4-wvjv-332q

Restart Required: Yes

Instructions:

1. Open Google Play Store 2. Search for AliasVault 3. Tap Update to version 0.25.3 or higher 4. Restart the app after update

🔧 Temporary Workarounds

Disable passkey functionality

android

Temporarily disable passkey features in AliasVault settings until patched

Uninstall suspicious apps

android

Remove any unknown or untrusted apps from Android device

🧯 If You Can't Patch

  • Uninstall AliasVault and use alternative password manager
  • Enable Android Play Protect and only install apps from trusted sources

🔍 How to Verify

Check if Vulnerable:

Check AliasVault version in app settings: Settings > About > Version

Check Version:

Not applicable - check via app UI

Verify Fix Applied:

Confirm version is 0.25.3 or higher in app settings

📡 Detection & Monitoring

Log Indicators:

  • Unusual passkey request patterns
  • Multiple failed credential validations

Network Indicators:

  • Not applicable - local vulnerability

SIEM Query:

Not applicable for local Android app vulnerability

📊 Metadata

CVE ID: CVE-2026-22694
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
CWE: CWE-346
EPSS Score: 0.01% exploit probability (0.4th percentile)
Published: January 14, 2026
Last Updated: March 5, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22694, you might also want to check these:

CVE-2023-25366 9.8

This vulnerability in Siglent SDS oscilloscopes allows attackers to retrieve the web interface passw...

Same vulnerability type (CWE-346)
CVE-2024-8487 9.8

This CVE describes a Cross-Origin Resource Sharing (CORS) misconfiguration in modelscope/agentscope ...

Same vulnerability type (CWE-346)
CVE-2026-2790 9.8

This CVE describes a same-origin policy bypass vulnerability in Firefox's JAR (Java Archive) network...

Same vulnerability type (CWE-346)