The vulnerability is a broken access control flaw that allows users with a Manager role to execute collection management operations even when their manage flag is set to false. The flaw enables unauthorized collection creation, modification, deletion, and membership changes, effectively granting elevated rights within the Vaultwarden instance. The weakness corresponds to several CWE identifiers related to inadequate privilege checks and improper authorization, specifically CWE-266, CWE-269, CWE-285, and CWE-863, yielding a high severity impact.

Any instance of Vaultwarden by dani-garcia running a version earlier than 1.35.4 is affected. The issue exists in all deployments where a Manager role is configured without proper verification of the manage flag. The vulnerability was addressed in the 1.35.4 release and later versions. Vendors and users should verify that they are not running a vulnerable version by checking the current package revision.

The CVSS score of 8.3 classifies this flaw as high severity, while the EPSS score of less than 1% indicates a low but nonzero likelihood of exploitation in the wild. It is not listed in the CISA KEV catalog, suggesting no publicly known exploits. The attack vector is likely via authenticated API requests, requiring a pre‑existing Manager role. An attacker who compromises such a credential can exploit the collection management loophole to expand their authority, modify or delete data, and potentially facilitate further lateral movement. Given the severity and privileged access involved, the risk is considered significant, especially for systems exposing the API or sharing manager accounts.