CVE-2026-2974 | AliasVault App up to 0.25.3 on Android/iOS Backup aliasvault.xml backup (Issue 1497)

A vulnerability classified as problematic has been found in AliasVault App up to 0.25.3 on Android/iOS. This vulnerability affects unknown code of the file shared_prefs/aliasvault.xml of the component Backup Handler. The manipulation of the argument accessToken/refreshToken/metadata/key_derivation_params/auth_methods leads to exposure of backup file to an unauthorized control sphere.

This vulnerability is traded as CVE-2026-2974. An attack has to be approached locally. Furthermore, there is an exploit available.

It is recommended to upgrade the affected component.

The creator of the software explains: “Because of AliasVault’s zero-knowledge encryption design, the tokens stored in aliasvault.xml are API session tokens that cannot decrypt the vault on their own: the master password is required for that. So while this isn’t a direct vault compromise risk, there’s no reason to include them in backups either.”VulDB Recent EntriesRead More