CVE-2026-27802 (GCVE-0-2026-27802)
Vulnerability from cvelistv5 – Published: 2026-03-04 21:34 – Updated: 2026-03-05 15:42
VLAI?
Title
Vaultwarden: Privilege Escalation via Bulk Permission Update to Unauthorized Collections by Manager
Summary
Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, there is a privilege escalation vulnerability via bulk permission update to unauthorized collections by Manager. This issue has been patched in version 1.35.4.
Severity ?
8.3 (High)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| dani-garcia | vaultwarden |
Affected:
< 1.35.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27802",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-05T15:32:48.949245Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T15:42:42.152Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "vaultwarden",
"vendor": "dani-garcia",
"versions": [
{
"status": "affected",
"version": "\u003c 1.35.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, there is a privilege escalation vulnerability via bulk permission update to unauthorized collections by Manager. This issue has been patched in version 1.35.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T21:34:34.992Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-r32r-j5jq-3w4m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-r32r-j5jq-3w4m"
}
],
"source": {
"advisory": "GHSA-r32r-j5jq-3w4m",
"discovery": "UNKNOWN"
},
"title": "Vaultwarden: Privilege Escalation via Bulk Permission Update to Unauthorized Collections by Manager"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27802",
"datePublished": "2026-03-04T21:34:34.992Z",
"dateReserved": "2026-02-24T02:31:33.266Z",
"dateUpdated": "2026-03-05T15:42:42.152Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-27802",
"date": "2026-04-20",
"epss": "0.00052",
"percentile": "0.16046"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-27802\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-04T22:16:18.057\",\"lastModified\":\"2026-03-06T19:45:31.713\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, there is a privilege escalation vulnerability via bulk permission update to unauthorized collections by Manager. This issue has been patched in version 1.35.4.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L\",\"baseScore\":8.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":5.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-269\"},{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dani-garcia:vaultwarden:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.35.4\",\"matchCriteriaId\":\"3EE3AB66-F61B-479C-A6C3-C2EEEB6FD55A\"}]}]}],\"references\":[{\"url\":\"https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-r32r-j5jq-3w4m\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-27802\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-05T15:32:48.949245Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-05T15:32:50.060Z\"}}], \"cna\": {\"title\": \"Vaultwarden: Privilege Escalation via Bulk Permission Update to Unauthorized Collections by Manager\", \"source\": {\"advisory\": \"GHSA-r32r-j5jq-3w4m\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"dani-garcia\", \"product\": \"vaultwarden\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.35.4\"}]}], \"references\": [{\"url\": \"https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-r32r-j5jq-3w4m\", \"name\": \"https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-r32r-j5jq-3w4m\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, there is a privilege escalation vulnerability via bulk permission update to unauthorized collections by Manager. This issue has been patched in version 1.35.4.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-269\", \"description\": \"CWE-269: Improper Privilege Management\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"CWE-863: Incorrect Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-04T21:34:34.992Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-27802\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-05T15:42:42.152Z\", \"dateReserved\": \"2026-02-24T02:31:33.266Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-04T21:34:34.992Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
WID-SEC-W-2026-0594
Vulnerability from csaf_certbund - Published: 2026-03-04 23:00 - Updated: 2026-03-04 23:00Summary
Vaultwarden: Mehrere Schwachstellen
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Vaultwarden ist eine alternative Implementierung der Server API des Bitwarden Passwort-Managers.
Angriff: Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Vaultwarden ausnutzen, um Sicherheitsmaßnahmen zu umgehen, erweiterte Privilegien zu erlangen, vertrauliche Informationen offenzulegen und Daten zu manipulieren.
Betroffene Betriebssysteme: - Sonstiges
- UNIX
- Windows
References
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Vaultwarden ist eine alternative Implementierung der Server API des Bitwarden Passwort-Managers.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Vaultwarden ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, erweiterte Privilegien zu erlangen, vertrauliche Informationen offenzulegen und Daten zu manipulieren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Sonstiges\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2026-0594 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0594.json"
},
{
"category": "self",
"summary": "WID-SEC-2026-0594 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0594"
},
{
"category": "external",
"summary": "GitHub Advisory Database vom 2026-03-04",
"url": "https://github.com/advisories/GHSA-h4hq-rgvh-wh27"
},
{
"category": "external",
"summary": "GitHub Advisory Database vom 2026-03-04",
"url": "https://github.com/advisories/GHSA-r32r-j5jq-3w4m"
},
{
"category": "external",
"summary": "GitHub Advisory Database vom 2026-03-04",
"url": "https://github.com/advisories/GHSA-v6pg-v89r-w8wr"
},
{
"category": "external",
"summary": "GitHub Advisory Database vom 2026-03-04",
"url": "https://github.com/advisories/GHSA-w9f8-m526-h7fh"
}
],
"source_lang": "en-US",
"title": "Vaultwarden: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2026-03-04T23:00:00.000+00:00",
"generator": {
"date": "2026-03-05T10:22:19.269+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.5.0"
}
},
"id": "WID-SEC-W-2026-0594",
"initial_release_date": "2026-03-04T23:00:00.000+00:00",
"revision_history": [
{
"date": "2026-03-04T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c1.35.4",
"product": {
"name": "Open Source Vaultwarden \u003c1.35.4",
"product_id": "T051401"
}
},
{
"category": "product_version",
"name": "1.35.4",
"product": {
"name": "Open Source Vaultwarden 1.35.4",
"product_id": "T051401-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:vaultwarden:vaultwarden:1.35.4"
}
}
},
{
"category": "product_version_range",
"name": "\u003c1.35.0",
"product": {
"name": "Open Source Vaultwarden \u003c1.35.0",
"product_id": "T051402"
}
},
{
"category": "product_version",
"name": "1.35.0",
"product": {
"name": "Open Source Vaultwarden 1.35.0",
"product_id": "T051402-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:vaultwarden:vaultwarden:1.35.0"
}
}
}
],
"category": "product_name",
"name": "Vaultwarden"
}
],
"category": "vendor",
"name": "Open Source"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-27801",
"product_status": {
"known_affected": [
"T051402"
]
},
"release_date": "2026-03-04T23:00:00.000+00:00",
"title": "CVE-2026-27801"
},
{
"cve": "CVE-2026-27802",
"product_status": {
"known_affected": [
"T051401",
"T051402"
]
},
"release_date": "2026-03-04T23:00:00.000+00:00",
"title": "CVE-2026-27802"
},
{
"cve": "CVE-2026-27803",
"product_status": {
"known_affected": [
"T051401",
"T051402"
]
},
"release_date": "2026-03-04T23:00:00.000+00:00",
"title": "CVE-2026-27803"
},
{
"cve": "CVE-2026-27898",
"product_status": {
"known_affected": [
"T051401",
"T051402"
]
},
"release_date": "2026-03-04T23:00:00.000+00:00",
"title": "CVE-2026-27898"
}
]
}
FKIE_CVE-2026-27802
Vulnerability from fkie_nvd - Published: 2026-03-04 22:16 - Updated: 2026-03-06 19:45
Severity ?
Summary
Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, there is a privilege escalation vulnerability via bulk permission update to unauthorized collections by Manager. This issue has been patched in version 1.35.4.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dani-garcia | vaultwarden | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dani-garcia:vaultwarden:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3EE3AB66-F61B-479C-A6C3-C2EEEB6FD55A",
"versionEndExcluding": "1.35.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, there is a privilege escalation vulnerability via bulk permission update to unauthorized collections by Manager. This issue has been patched in version 1.35.4."
},
{
"lang": "es",
"value": "Vaultwarden es un servidor compatible con Bitwarden no oficial escrito en Rust, anteriormente conocido como bitwarden_rs. Anterior a la versi\u00f3n 1.35.4, existe una vulnerabilidad de escalada de privilegios a trav\u00e9s de la actualizaci\u00f3n masiva de permisos a colecciones no autorizadas por parte del Manager. Este problema ha sido parcheado en la versi\u00f3n 1.35.4."
}
],
"id": "CVE-2026-27802",
"lastModified": "2026-03-06T19:45:31.713",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.5,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-03-04T22:16:18.057",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-r32r-j5jq-3w4m"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
},
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
GHSA-R32R-J5JQ-3W4M
Vulnerability from github – Published: 2026-03-04 20:07 – Updated: 2026-03-04 20:07
VLAI?
Summary
Vaultwarden has Privilege Escalation via Bulk Permission Update to Unauthorized Collections by Manager
Details
Summary
A Manager account (access_all=false) was able to escalate privileges by directly invoking the bulk-access API against collections that were not originally assigned to them.
The API allowed changing assigned=false to assigned=true, resulting in unauthorized access.
Additionally, prior to the bulk-access call, the regular single-update API correctly returned 401 Unauthorized for the same collection. After executing the bulk-access API, the same update API returned 200 OK, confirming an authorization gap at the HTTP level.
Description
- The endpoint accepts
ManagerHeadersLooseand does not validate access rights for the specifiedcollectionIds. src/api/core/organizations.rs:551
rust
headers: ManagerHeadersLoose,
- The received
collection_idsare processed directly without per-collection authorization checks. src/api/core/organizations.rs:564
rust
for col_id in data.collection_ids {
- Existing group assignments for the collection are deleted. src/api/core/organizations.rs:583
rust
CollectionGroup::delete_all_by_collection(&col_id, &conn).await?;
- Existing user assignments for the collection are deleted. src/api/core/organizations.rs:590
rust
CollectionUser::delete_all_by_collection(&col_id, &conn).await?;
- By comparison, another bulk-processing endpoint performs per-collection validation using
from_loose. src/api/core/organizations.rs:787
rust
let headers = ManagerHeaders::from_loose(headers, &collections, &conn).await?;
- The actual access control logic is implemented in
can_access_collection, which is not invoked in the bulk-access endpoint. src/auth.rs:911
rust
if !Collection::can_access_collection(&h.membership, col_id, conn).await {
Preconditions
- The attacker possesses a valid Manager account within the target organization.
- The organization contains collections that are not assigned to the attacker.
- The attacker can authenticate through the standard API login process (Owner/Admin privileges are not required).
Steps to Reproduce
-
Log in as a Manager and obtain a Bearer token.
-
Confirm the current values of
assigned,manage,readOnly, andhidePasswordsfor the target collection. -
Verify that the standard update API returns 401 Unauthorized when attempting to modify the unassigned collection.
-
Invoke the bulk-access API, including:
-
collectionIdscontaining the target collection -
userscontaining the attacker’s ownmembership_idConfirm that the API returns 200 OK. -
Re-run the standard update API. Confirm that it now succeeds and that the previously unauthorized modification is applied.
Required Minimum Privileges
- Manager role within the target organization
(the issue occurs even when
access_all=false)
Attack Scenario
A delegated administrator or department-level Manager within an organization directly calls the API to add themselves to unauthorized collections and gain access to confidential information.
Because the bulk update process deletes and reassigns existing permissions, the attacker can also remove other users’ access, enabling denial-of-service or sabotage within the organization.
Potential Impact
- Confidentiality: Unauthorized access to sensitive information within restricted collections.
- Integrity: Unauthorized modification of collection permission settings and arbitrary changes to access controls.
- Availability: Deletion of existing assignments may cause legitimate users to lose access.
Severity ?
8.3 (High)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.35.3"
},
"package": {
"ecosystem": "crates.io",
"name": "vaultwarden"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.35.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27802"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-04T20:07:21Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nA Manager account (`access_all=false`) was able to escalate privileges by directly invoking the **bulk-access API** against collections that were not originally assigned to them.\nThe API allowed changing `assigned=false` to `assigned=true`, resulting in unauthorized access.\n\nAdditionally, prior to the bulk-access call, the regular single-update API correctly returned **401 Unauthorized** for the same collection. After executing the bulk-access API, the same update API returned **200 OK**, confirming an authorization gap at the HTTP level.\n\n---\n\n## Description\n\n* The endpoint accepts `ManagerHeadersLoose` and does not validate access rights for the specified `collectionIds`.\n src/api/core/organizations.rs:551\n\n ```rust\n headers: ManagerHeadersLoose,\n ```\n\n* The received `collection_ids` are processed directly without per-collection authorization checks.\n src/api/core/organizations.rs:564\n\n ```rust\n for col_id in data.collection_ids {\n ```\n\n* Existing group assignments for the collection are deleted.\n src/api/core/organizations.rs:583\n\n ```rust\n CollectionGroup::delete_all_by_collection(\u0026col_id, \u0026conn).await?;\n ```\n\n* Existing user assignments for the collection are deleted.\n src/api/core/organizations.rs:590\n\n ```rust\n CollectionUser::delete_all_by_collection(\u0026col_id, \u0026conn).await?;\n ```\n\n* By comparison, another bulk-processing endpoint performs per-collection validation using `from_loose`.\n src/api/core/organizations.rs:787\n\n ```rust\n let headers = ManagerHeaders::from_loose(headers, \u0026collections, \u0026conn).await?;\n ```\n\n* The actual access control logic is implemented in `can_access_collection`, which is not invoked in the bulk-access endpoint.\n src/auth.rs:911\n\n ```rust\n if !Collection::can_access_collection(\u0026h.membership, col_id, conn).await {\n ```\n\n---\n\n## Preconditions\n\n* The attacker possesses a valid **Manager account** within the target organization.\n* The organization contains collections that are **not assigned** to the attacker.\n* The attacker can authenticate through the standard API login process (Owner/Admin privileges are not required).\n\n---\n\n## Steps to Reproduce\n\n1. Log in as a Manager and obtain a Bearer token.\n\u003cimg width=\"4016\" height=\"1690\" alt=\"image\" src=\"https://github.com/user-attachments/assets/218f05e2-6a2e-4066-8f8d-6bbef1cc5858\" /\u003e\n\n2. Confirm the current values of `assigned`, `manage`, `readOnly`, and `hidePasswords` for the target collection.\n\u003cimg width=\"4026\" height=\"1694\" alt=\"image\" src=\"https://github.com/user-attachments/assets/a6d2fc70-5370-4984-85bd-a6f74febdfa3\" /\u003e\n\n3. Verify that the standard update API returns **401 Unauthorized** when attempting to modify the unassigned collection.\n\u003cimg width=\"4030\" height=\"1708\" alt=\"image\" src=\"https://github.com/user-attachments/assets/802f0d2b-d474-44d2-beef-b4f7f3335225\" /\u003e\n\n4. Invoke the bulk-access API, including:\n\u003cimg width=\"4036\" height=\"1120\" alt=\"image\" src=\"https://github.com/user-attachments/assets/1d3caa01-3ac2-4636-9ed0-189e5923c986\" /\u003e\n\n * `collectionIds` containing the target collection\n * `users` containing the attacker\u2019s own `membership_id`\n Confirm that the API returns **200 OK**.\n\n5. Re-run the standard update API.\n Confirm that it now succeeds and that the previously unauthorized modification is applied.\n\u003cimg width=\"4040\" height=\"1440\" alt=\"image\" src=\"https://github.com/user-attachments/assets/340e9676-d802-404c-b894-9986a176360a\" /\u003e\n\n---\n\n## Required Minimum Privileges\n\n* Manager role within the target organization\n (the issue occurs even when `access_all=false`)\n\n---\n\n## Attack Scenario\n\nA delegated administrator or department-level Manager within an organization directly calls the API to add themselves to unauthorized collections and gain access to confidential information.\n\nBecause the bulk update process deletes and reassigns existing permissions, the attacker can also remove other users\u2019 access, enabling denial-of-service or sabotage within the organization.\n\n---\n\n## Potential Impact\n\n* **Confidentiality:** Unauthorized access to sensitive information within restricted collections.\n* **Integrity:** Unauthorized modification of collection permission settings and arbitrary changes to access controls.\n* **Availability:** Deletion of existing assignments may cause legitimate users to lose access.",
"id": "GHSA-r32r-j5jq-3w4m",
"modified": "2026-03-04T20:07:21Z",
"published": "2026-03-04T20:07:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-r32r-j5jq-3w4m"
},
{
"type": "PACKAGE",
"url": "https://github.com/dani-garcia/vaultwarden"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "Vaultwarden has Privilege Escalation via Bulk Permission Update to Unauthorized Collections by Manager"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…