CVE-2026-22694 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2026-22694

CVE-2026-22694

January 14, 2026

AliasVault is a privacy-first password manager with built-in email aliasing. AliasVault Android versions 0.24.0 through 0.25.2 contained an issue in how passkey requests from Android apps were validated. Under certain local conditions, a malicious app could attempt to obtain a passkey response for a site it was not authorized to access. The issue involved incomplete validation of calling app identity, origin, and RP ID in the Android credential provider. This issue was fixed in AliasVault Android 0.25.3.

Affected Packages

https://github.com/aliasvault/aliasvault.git (GITHUB):

Affected version(s) >=0.24.0 <0.25.3

Fix Suggestion:

Update to version 0.25.3

Related Resources (5)

https://github.com/aliasvault/aliasvault/pull/1441

https://github.com/aliasvault/aliasvault/security/advisories/GHSA-mvg4-wvjv-332q

https://github.com/aliasvault/aliasvault/issues/1440

https://github.com/aliasvault/aliasvault/releases/tag/0.25.3

https://github.com/aliasvault/aliasvault/commit/b3350473103d6138ab2b63ca130c211717eac67d

Do you need more information?

CVSS v4

Base Score:

6.9

Attack Vector

LOCAL

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

PASSIVE

Vulnerable System Confidentiality

LOW

Vulnerable System Integrity

HIGH

Vulnerable System Availability

NONE

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

6.1

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

LOW

Integrity

HIGH

Availability

NONE

Weakness Type (CWE)

Origin Validation Error

CWE-346

EPSS

Base Score:

0.01

Products

Solutions

Resources

Company

Compare

Developer Tools