CVE-2026-2974 in AliasVault App
Summary
by MITRE • 02/23/2026
A vulnerability was identified in AliasVault App up to 0.25.3 on Android/iOS. This vulnerability affects unknown code of the file shared_prefs/aliasvault.xml of the component Backup Handler. The manipulation of the argument accessToken/refreshToken/metadata/key_derivation_params/auth_methods leads to exposure of backup file to an unauthorized control sphere. An attack has to be approached locally. The attack is considered to have high complexity. It is stated that the exploitability is difficult. The exploit is publicly available and might be used. Upgrading to version 0.26.0 is able to resolve this issue. The identifier of the patch is 873ecc03f92238e162f98a068ad56069a922b4f6/0bd662320174d8265dfe3b05a04bc13efc960532. It is recommended to upgrade the affected component. The creator of the software explains: "Because of AliasVault's zero-knowledge encryption design, the tokens stored in aliasvault.xml are API session tokens that cannot decrypt the vault on their own: the master password is required for that. So while this isn't a direct vault compromise risk, there's no reason to include them in backups either."
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/12/2026
This vulnerability resides within the AliasVault mobile application's backup handling mechanism, specifically targeting the shared_prefs/aliasvault.xml file which stores sensitive authentication parameters. The flaw manifests in the Backup Handler component where access tokens, refresh tokens, metadata, key derivation parameters, and authentication methods are improperly stored in a backup file that can be accessed by unauthorized parties. The vulnerability represents a classic case of insecure data storage in mobile applications where sensitive session information is persisted in a manner that exposes it to local attackers who can manipulate these stored values to gain unauthorized control over backup operations.
The technical implementation of this vulnerability stems from the improper handling of authentication credentials within the application's local storage system. Attackers with local access to the device can exploit this weakness by directly modifying the shared_prefs/aliasvault.xml file to manipulate the accessToken, refreshToken, metadata, key_derivation_params, and auth_methods arguments. This manipulation creates a scenario where backup files become accessible to unauthorized entities, potentially enabling them to hijack backup processes or gain access to additional system resources. The high complexity required for exploitation and the difficult exploitability rating suggest that while the vulnerability exists, it requires specific conditions and technical knowledge to successfully compromise the system.
The operational impact of this vulnerability extends beyond simple data exposure, as it creates potential pathways for attackers to compromise the application's backup integrity and potentially gain unauthorized access to user data. Even though the application's creator notes that these tokens alone cannot decrypt the vault due to the zero-knowledge encryption design, the presence of these session tokens in backup files creates a risk vector that could be exploited in conjunction with other attack vectors. The vulnerability affects both Android and iOS platforms, indicating a widespread impact across mobile operating systems and suggesting that the issue stems from platform-agnostic implementation flaws rather than specific OS vulnerabilities.
Security professionals should recognize this vulnerability as a variant of CWE-312 (Cleartext Storage of Sensitive Information) and potentially CWE-522 (Insufficiently Protected Credentials) within the context of mobile application security. The attack vector classification aligns with ATT&CK technique T1074.001 (Data Staged) and T1021.001 (Remote Desktop Protocol), as attackers can leverage local access to manipulate backup files and potentially establish persistent access to system resources. The publicly available exploit and the relatively straightforward patching mechanism suggest that this vulnerability represents a significant security risk that organizations should address immediately.
The recommended mitigation strategy involves upgrading to version 0.26.0, which contains the specific patches identified by the commit hashes 873ecc03f92238e162f98a068ad56069a922b4f6 and 0bd662320174d8265dfe3b05a04bc13efc960532. However, organizations should also implement additional security controls such as verifying the integrity of backup files, implementing proper access controls on local storage, and conducting regular security audits of mobile application components. The application's design decision to store API session tokens in backup files despite the zero-knowledge encryption model highlights the importance of proper security architecture decisions and the need for comprehensive threat modeling that considers all potential attack vectors, including backup and restore mechanisms that may be exploited by local attackers.