GHSA-R32R-J5JQ-3W4M

Vulnerability from github – Published: 2026-03-04 20:07 – Updated: 2026-03-04 20:07
VLAI?
Summary
Vaultwarden has Privilege Escalation via Bulk Permission Update to Unauthorized Collections by Manager
Details

Summary

A Manager account (access_all=false) was able to escalate privileges by directly invoking the bulk-access API against collections that were not originally assigned to them. The API allowed changing assigned=false to assigned=true, resulting in unauthorized access.

Additionally, prior to the bulk-access call, the regular single-update API correctly returned 401 Unauthorized for the same collection. After executing the bulk-access API, the same update API returned 200 OK, confirming an authorization gap at the HTTP level.

Description

  • The endpoint accepts ManagerHeadersLoose and does not validate access rights for the specified collectionIds. src/api/core/organizations.rs:551

rust headers: ManagerHeadersLoose,

  • The received collection_ids are processed directly without per-collection authorization checks. src/api/core/organizations.rs:564

rust for col_id in data.collection_ids {

  • Existing group assignments for the collection are deleted. src/api/core/organizations.rs:583

rust CollectionGroup::delete_all_by_collection(&col_id, &conn).await?;

  • Existing user assignments for the collection are deleted. src/api/core/organizations.rs:590

rust CollectionUser::delete_all_by_collection(&col_id, &conn).await?;

  • By comparison, another bulk-processing endpoint performs per-collection validation using from_loose. src/api/core/organizations.rs:787

rust let headers = ManagerHeaders::from_loose(headers, &collections, &conn).await?;

  • The actual access control logic is implemented in can_access_collection, which is not invoked in the bulk-access endpoint. src/auth.rs:911

rust if !Collection::can_access_collection(&h.membership, col_id, conn).await {

Preconditions

  • The attacker possesses a valid Manager account within the target organization.
  • The organization contains collections that are not assigned to the attacker.
  • The attacker can authenticate through the standard API login process (Owner/Admin privileges are not required).

Steps to Reproduce

  1. Log in as a Manager and obtain a Bearer token. image

  2. Confirm the current values of assigned, manage, readOnly, and hidePasswords for the target collection. image

  3. Verify that the standard update API returns 401 Unauthorized when attempting to modify the unassigned collection. image

  4. Invoke the bulk-access API, including: image

  5. collectionIds containing the target collection

  6. users containing the attacker’s own membership_id Confirm that the API returns 200 OK.

  7. Re-run the standard update API. Confirm that it now succeeds and that the previously unauthorized modification is applied. image

Required Minimum Privileges

  • Manager role within the target organization (the issue occurs even when access_all=false)

Attack Scenario

A delegated administrator or department-level Manager within an organization directly calls the API to add themselves to unauthorized collections and gain access to confidential information.

Because the bulk update process deletes and reassigns existing permissions, the attacker can also remove other users’ access, enabling denial-of-service or sabotage within the organization.

Potential Impact

  • Confidentiality: Unauthorized access to sensitive information within restricted collections.
  • Integrity: Unauthorized modification of collection permission settings and arbitrary changes to access controls.
  • Availability: Deletion of existing assignments may cause legitimate users to lose access.
Severity ?
8.3 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.35.3"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "vaultwarden"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.35.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27802"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-04T20:07:21Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nA Manager account (`access_all=false`) was able to escalate privileges by directly invoking the **bulk-access API** against collections that were not originally assigned to them.\nThe API allowed changing `assigned=false` to `assigned=true`, resulting in unauthorized access.\n\nAdditionally, prior to the bulk-access call, the regular single-update API correctly returned **401 Unauthorized** for the same collection. After executing the bulk-access API, the same update API returned **200 OK**, confirming an authorization gap at the HTTP level.\n\n---\n\n## Description\n\n* The endpoint accepts `ManagerHeadersLoose` and does not validate access rights for the specified `collectionIds`.\n  src/api/core/organizations.rs:551\n\n  ```rust\n  headers: ManagerHeadersLoose,\n  ```\n\n* The received `collection_ids` are processed directly without per-collection authorization checks.\n  src/api/core/organizations.rs:564\n\n  ```rust\n  for col_id in data.collection_ids {\n  ```\n\n* Existing group assignments for the collection are deleted.\n  src/api/core/organizations.rs:583\n\n  ```rust\n  CollectionGroup::delete_all_by_collection(\u0026col_id, \u0026conn).await?;\n  ```\n\n* Existing user assignments for the collection are deleted.\n  src/api/core/organizations.rs:590\n\n  ```rust\n  CollectionUser::delete_all_by_collection(\u0026col_id, \u0026conn).await?;\n  ```\n\n* By comparison, another bulk-processing endpoint performs per-collection validation using `from_loose`.\n  src/api/core/organizations.rs:787\n\n  ```rust\n  let headers = ManagerHeaders::from_loose(headers, \u0026collections, \u0026conn).await?;\n  ```\n\n* The actual access control logic is implemented in `can_access_collection`, which is not invoked in the bulk-access endpoint.\n  src/auth.rs:911\n\n  ```rust\n  if !Collection::can_access_collection(\u0026h.membership, col_id, conn).await {\n  ```\n\n---\n\n## Preconditions\n\n* The attacker possesses a valid **Manager account** within the target organization.\n* The organization contains collections that are **not assigned** to the attacker.\n* The attacker can authenticate through the standard API login process (Owner/Admin privileges are not required).\n\n---\n\n## Steps to Reproduce\n\n1. Log in as a Manager and obtain a Bearer token.\n\u003cimg width=\"4016\" height=\"1690\" alt=\"image\" src=\"https://github.com/user-attachments/assets/218f05e2-6a2e-4066-8f8d-6bbef1cc5858\" /\u003e\n\n2. Confirm the current values of `assigned`, `manage`, `readOnly`, and `hidePasswords` for the target collection.\n\u003cimg width=\"4026\" height=\"1694\" alt=\"image\" src=\"https://github.com/user-attachments/assets/a6d2fc70-5370-4984-85bd-a6f74febdfa3\" /\u003e\n\n3. Verify that the standard update API returns **401 Unauthorized** when attempting to modify the unassigned collection.\n\u003cimg width=\"4030\" height=\"1708\" alt=\"image\" src=\"https://github.com/user-attachments/assets/802f0d2b-d474-44d2-beef-b4f7f3335225\" /\u003e\n\n4. Invoke the bulk-access API, including:\n\u003cimg width=\"4036\" height=\"1120\" alt=\"image\" src=\"https://github.com/user-attachments/assets/1d3caa01-3ac2-4636-9ed0-189e5923c986\" /\u003e\n\n   * `collectionIds` containing the target collection\n   * `users` containing the attacker\u2019s own `membership_id`\n     Confirm that the API returns **200 OK**.\n\n5. Re-run the standard update API.\n   Confirm that it now succeeds and that the previously unauthorized modification is applied.\n\u003cimg width=\"4040\" height=\"1440\" alt=\"image\" src=\"https://github.com/user-attachments/assets/340e9676-d802-404c-b894-9986a176360a\" /\u003e\n\n---\n\n## Required Minimum Privileges\n\n* Manager role within the target organization\n  (the issue occurs even when `access_all=false`)\n\n---\n\n## Attack Scenario\n\nA delegated administrator or department-level Manager within an organization directly calls the API to add themselves to unauthorized collections and gain access to confidential information.\n\nBecause the bulk update process deletes and reassigns existing permissions, the attacker can also remove other users\u2019 access, enabling denial-of-service or sabotage within the organization.\n\n---\n\n## Potential Impact\n\n* **Confidentiality:** Unauthorized access to sensitive information within restricted collections.\n* **Integrity:** Unauthorized modification of collection permission settings and arbitrary changes to access controls.\n* **Availability:** Deletion of existing assignments may cause legitimate users to lose access.",
  "id": "GHSA-r32r-j5jq-3w4m",
  "modified": "2026-03-04T20:07:21Z",
  "published": "2026-03-04T20:07:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-r32r-j5jq-3w4m"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dani-garcia/vaultwarden"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Vaultwarden has Privilege Escalation via Bulk Permission Update to Unauthorized Collections by Manager"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.