From 6c2865a09db668416c884fd0d050e093235457e1 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Thu, 19 Mar 2026 16:27:09 +0100
Subject: [PATCH 1/5] simplify port/scheme check

---
 .../ui/keyloading/hub/CheckHostTrustController.java   | 11 +++++------
 .../keyloading/hub/CheckHostTrustControllerTest.java  |  4 ++--
 2 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/CheckHostTrustController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/CheckHostTrustController.java
index 2201ed18d..18bdbfead 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/CheckHostTrustController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/CheckHostTrustController.java
@@ -160,12 +160,11 @@ public class CheckHostTrustController implements FxController {
 	}
 
 	public static String getAuthority(URI uri) {
-		return switch (uri.getPort()) {
-			case -1 -> "%s://%s".formatted(uri.getScheme(), uri.getHost());
-			case 80 -> "http://%s".formatted(uri.getHost());
-			case 443 -> "https://%s".formatted(uri.getHost());
-			default -> "%s://%s:%s".formatted(uri.getScheme(), uri.getHost(), uri.getPort());
-		};
+		if (uri.getPort() == -1) {
+			return "%s://%s".formatted(uri.getScheme(), uri.getHost());
+		} else {
+			return "%s://%s:%s".formatted(uri.getScheme(), uri.getHost(), uri.getPort());
+		}
 	}
 
 	//--- JavaFX property getter & setter
diff --git a/src/test/java/org/cryptomator/ui/keyloading/hub/CheckHostTrustControllerTest.java b/src/test/java/org/cryptomator/ui/keyloading/hub/CheckHostTrustControllerTest.java
index d6d104b7d..d6feefdb6 100644
--- a/src/test/java/org/cryptomator/ui/keyloading/hub/CheckHostTrustControllerTest.java
+++ b/src/test/java/org/cryptomator/ui/keyloading/hub/CheckHostTrustControllerTest.java
@@ -34,8 +34,8 @@ class CheckHostTrustControllerTest {
 			"https://example.com/foo/bar, https://example.com",
 			"https://example.com:8080, https://example.com:8080",
 			"https://user@example.com:8080/foo/bar, https://example.com:8080",
-			"https://user@example.com:443/foo/bar, https://example.com",
-			"http://user@example.com:80/foo/bar?foo=bar, http://example.com",
+			"https://user@example.com:443/foo/bar, https://example.com:443",
+			"http://user@example.com:80/foo/bar?foo=bar, http://example.com:80",
 			"http://user@example.com:8080/foo/bar?foo=bar, http://example.com:8080"
 	})
 	void testGetAuthority(String input, String expected) {

From f08e7d9b9258b9a8be974615758f2b364d17cb9c Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Thu, 19 Mar 2026 16:34:42 +0100
Subject: [PATCH 2/5] bump version to 1.19.2

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index fdaf9b328..9a1d5fe00 100644
--- a/pom.xml
+++ b/pom.xml
@@ -3,7 +3,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>org.cryptomator</groupId>
 	<artifactId>cryptomator</artifactId>
-	<version>1.19.1</version>
+	<version>1.19.2</version>
 	<name>Cryptomator Desktop App</name>
 
 	<organization>

From ddad663489b5a22665796d075f90ff09151a1e80 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Thu, 19 Mar 2026 16:41:17 +0100
Subject: [PATCH 3/5] add release to metainfo file

---
 dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml b/dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml
index 4fe637189..8a788e537 100644
--- a/dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml
+++ b/dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml
@@ -84,6 +84,9 @@
 	</content_rating>
 
 	<releases>
+		<release date="2026-03-20" version="1.19.2">
+			<url type="details">https://github.com/cryptomator/cryptomator/releases/1.19.2</url>
+		</release>
 		<release date="2026-03-12" version="1.19.1">
 			<url type="details">https://github.com/cryptomator/cryptomator/releases/1.19.1</url>
 		</release>

From 62a439e10e92752a4335be0702ad3b4da2ba2658 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Fri, 13 Mar 2026 10:50:20 +0100
Subject: [PATCH 4/5] CHANGELOG.md: moved security fixes to subsection

[ci skip]
---
 CHANGELOG.md | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e14fff4b1..61f90478a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,16 +10,18 @@ Changes to prior versions can be found on the [Github release page](https://gith
 
 ## [1.19.1](https://github.com/cryptomator/cryptomator/releases/1.19.1) - 2026-03-12
 
-### Added
-* Cryptomator Hub: Trust on first use, adding new config properties `cryptomator.hub.allowedHosts` and `cryptomator.hub.enableTrustOnFirstUse` ([#4179](https://github.com/cryptomator/cryptomator/pull/4179))
-
-### Fixed
-* Fixed loading of masterkey file from arbitrary paths ([#4180](https://github.com/cryptomator/cryptomator/pull/4180))
-* **[Security]** Cryptomamtor Hub: Fixed possible man-in-the-middle attack with tampered vault config ([GHSA-34rf-rwr3-7g43](https://github.com/cryptomator/cryptomator/security/advisories/GHSA-34rf-rwr3-7g43))
-* Fixed Finder window opens twice when revealing vault on macOS ([#4177](https://github.com/cryptomator/cryptomator/pull/4177))
-* Fixed app does not start due to secret service detection failure on Linux ([#4175](https://github.com/cryptomator/cryptomator/pull/4175))
+### Security
+* Cryptomamtor Hub Vaults: Fixed possible man-in-the-middle attack with tampered vault config (#4179, [GHSA-34rf-rwr3-7g43](https://github.com/cryptomator/cryptomator/security/advisories/GHSA-34rf-rwr3-7g43))
+* Disallow unencrypted http connections to hub by default ([CVE-2026-32309](https://github.com/cryptomator/cryptomator/security/advisories/GHSA-vv33-h7qx-c264))
+* Disallow loading of masterkey file from arbitrary paths (#4180, [CVE-2026-32310](https://github.com/cryptomator/cryptomator/security/advisories/GHSA-5phc-5pfx-hr52))
 * Fixed not-configured plugin directory does not disable plugin search ([#4176](https://github.com/cryptomator/cryptomator/pull/4176))
 
+### Added
+* Trust on first use, adding new config properties `cryptomator.hub.allowedHosts` and `cryptomator.hub.enableTrustOnFirstUse` (#4179)
+
+### Fixed
+* Fixed Finder window opens twice when revealing vault on macOS ([#4177](https://github.com/cryptomator/cryptomator/pull/4177))
+* Fixed app does not start due to secret service detection failure on Linux ([#4175](https://github.com/cryptomator/cryptomator/pull/4175))
 
 ### Changed
 * Pin version of appimagetool([#4181](https://github.com/cryptomator/cryptomator/pull/4181))

From 2284d1fcee50e475370196c687a5ed8bccfd7ef1 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Fri, 20 Mar 2026 08:06:26 +0100
Subject: [PATCH 5/5] Update Changelog

---
 CHANGELOG.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 61f90478a..3b9d1a6ed 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 The changelog starts with version 1.19.0.
 Changes to prior versions can be found on the [Github release page](https://github.com/cryptomator/cryptomator/releases).
 
+## [1.19.2](https://github.com/cryptomator/cryptomator/releases/1.19.2) - 2026-03-20
+
+### Security
+* Cryptomamtor Hub Vaults: Additional patch for (#4179, [GHSA-34rf-rwr3-7g43](https://github.com/cryptomator/cryptomator/security/advisories/GHSA-34rf-rwr3-7g43))
+
 
 ## [1.19.1](https://github.com/cryptomator/cryptomator/releases/1.19.1) - 2026-03-12