QwikSec

Security Database

CVE

CWE

Training

CVE-2026-22694

Published: Jan 14, 2026

Modified: Jan 14, 2026

PUBLISHED

CVSS v3.1

6.1

MEDIUM

Description

AliasVault is a privacy-first password manager with built-in email aliasing. AliasVault Android versions 0.24.0 through 0.25.2 contained an issue in how passkey requests from Android apps were validated. Under certain local conditions, a malicious app could attempt to obtain a passkey response for a site it was not authorized to access. The issue involved incomplete validation of calling app identity, origin, and RP ID in the Android credential provider. This issue was fixed in AliasVault Android 0.25.3.

Vendor	Product	Versions
aliasvault	aliasvault	affected `>= 0.24.0, < 0.25.3`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

None

References

https://github.com/aliasvault/aliasvault/security/advisories/GHSA-mvg4-wvjv-332q

x_refsource_CONFIRM

https://github.com/aliasvault/aliasvault/issues/1440

x_refsource_MISC

https://github.com/aliasvault/aliasvault/pull/1441

x_refsource_MISC

https://github.com/aliasvault/aliasvault/commit/b3350473103d6138ab2b63ca130c211717eac67d

x_refsource_MISC

https://github.com/aliasvault/aliasvault/releases/tag/0.25.3

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.