Description
vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to 1.35.3, a regular organization member can retrieve all ciphers within an organization, regardless of collection permissions. The endpoint /ciphers/organization-details is accessible to any organization member and internally uses Cipher::find_by_org to retrieve all ciphers. These ciphers are returned with CipherSyncType::Organization without enforcing collection-level access control. This vulnerability is fixed in 1.35.3.
Published: 2026-02-11
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

vaultwarden, an unofficial Bitwarden-compatible server, contains an authenticated flaw that allows any organization member to retrieve all ciphers within an organization, disregarding collection permissions. This exposes confidential data such as passwords, notes, and encrypted secrets, providing attackers with a full set of organizational credentials. The weakness stems from a permissive use of Cipher::find_by_org without enforcing collection-level checks, and is classified as CWE‑1220 and CWE‑863.

Affected Systems

Instances of vaultwarden running any version prior to 1.35.3 are affected. The vulnerability exists in all releases from the earliest stable build up to 1.35.2 and is resolved in v1.35.3 and later. Administrators should verify the running image tag or package version to determine exposure.

Risk and Exploitability

The CVSS base score of 6.5 indicates a medium impact, while an EPSS score of less than 1% suggests a very low likelihood of observed exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers require legitimate authentication as an organization member to exploit the flaw, using the /ciphers/organization-details endpoint to gain unrestricted access to all ciphers without additional privileges or network compromise.

Generated by OpenCVE AI on April 17, 2026 at 20:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade vaultwarden to version 1.35.3 or later to apply the fix.
  • If an upgrade cannot be performed immediately, modify the API configuration to restrict /ciphers/organization-details so that only administrators can access it, thereby restoring collection‑level enforcement.
  • After applying the upgrade or configuration change, monitor API logs for unexpected enumeration activity and review organization permissions to ensure no lingering exposure.

Generated by OpenCVE AI on April 17, 2026 at 20:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:dani-garcia:vaultwarden:*:*:*:*:*:*:*:*

Thu, 12 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1220
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 12 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Dani-garcia
Dani-garcia vaultwarden
Vendors & Products Dani-garcia
Dani-garcia vaultwarden

Wed, 11 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to 1.35.3, a regular organization member can retrieve all ciphers within an organization, regardless of collection permissions. The endpoint /ciphers/organization-details is accessible to any organization member and internally uses Cipher::find_by_org to retrieve all ciphers. These ciphers are returned with CipherSyncType::Organization without enforcing collection-level access control. This vulnerability is fixed in 1.35.3.
Title vaultwarden has Full Cipher Enumeration Ignoring Organization Collection Permissions
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Dani-garcia Vaultwarden
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-12T21:15:25.318Z

Reserved: 2026-02-09T21:36:29.553Z

Link: CVE-2026-26012

cve-icon Vulnrichment

Updated: 2026-02-12T21:15:21.617Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-11T22:15:51.703

Modified: 2026-02-13T21:41:01.003

Link: CVE-2026-26012

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-11T21:14:58Z

Links: CVE-2026-26012 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:15:27Z

Weaknesses