Description
Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, there is a privilege escalation vulnerability via bulk permission update to unauthorized collections by Manager. This issue has been patched in version 1.35.4.
Published: 2026-03-04
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

Vaultwarden, an unofficial Bitwarden compatible server, suffers from a privilege escalation flaw that allows a Manager to perform bulk permission updates on collections they are not authorized to access. This defect enables an authenticated Manager to grant access to confidential data or elevate other users’ privileges without proper authorization. The vulnerability is rooted in a flaw in the permission update logic, which is categorized under CWE‑266, CWE‑269, and CWE‑863.

Affected Systems

All installations of Vaultwarden prior to version 1.35.4 are affected. The vulnerability applies to the officially published releases by the maintainer, dani‑garcia. Users running any older release of the server should confirm whether the build includes the unpatched logic and consider upgrading to a fixed version.

Risk and Exploitability

The flaw scores an 8.3 on the CVSS scale, indicating a high severity and wide impact if leveraged. The EPSS score is less than 1 %, suggesting that the probability of public exploitation is low at present, and the vulnerability is not listed in the CISA KEV catalog. An attacker who has performed a Manager‑level authentication can exploit the flaw by sending a bulk permission update request to the API; no other special conditions are documented in the advisory. While the likelihood is currently low, the high severity warrants immediate attention.

Generated by OpenCVE AI on April 17, 2026 at 13:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vaultwarden to version 1.35.4 or later, where the bulk permission update logic has been corrected.
  • If an upgrade cannot be performed immediately, restrict Manager role permissions to prevent bulk permission updates, or temporarily disable the bulk update endpoint through configuration or custom middleware.
  • Monitor audit logs for abnormal bulk permission changes and enforce least‑privilege access controls on collection management.

Generated by OpenCVE AI on April 17, 2026 at 13:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r32r-j5jq-3w4m Vaultwarden has Privilege Escalation via Bulk Permission Update to Unauthorized Collections by Manager
History

Fri, 06 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:dani-garcia:vaultwarden:*:*:*:*:*:*:*:*

Thu, 05 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-266
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Dani-garcia
Dani-garcia vaultwarden
Vendors & Products Dani-garcia
Dani-garcia vaultwarden

Wed, 04 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, there is a privilege escalation vulnerability via bulk permission update to unauthorized collections by Manager. This issue has been patched in version 1.35.4.
Title Vaultwarden: Privilege Escalation via Bulk Permission Update to Unauthorized Collections by Manager
Weaknesses CWE-269
CWE-863
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Dani-garcia Vaultwarden
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-05T15:42:42.152Z

Reserved: 2026-02-24T02:31:33.266Z

Link: CVE-2026-27802

cve-icon Vulnrichment

Updated: 2026-03-05T15:32:50.060Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T22:16:18.057

Modified: 2026-03-06T19:45:31.713

Link: CVE-2026-27802

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-04T21:34:34Z

Links: CVE-2026-27802 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:15:19Z

Weaknesses