Description
Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, an authenticated regular user can specify another user’s cipher_id and call "PUT /api/ciphers/{id}/partial" Even though the standard retrieval API correctly denies access to that cipher, the partial update endpoint returns 200 OK and exposes cipherDetails (including name, notes, data, secureNote, etc.). This issue has been patched in version 1.35.4.
Published: 2026-03-04
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized disclosure of other users' cipher data
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows an authenticated regular user to supply another user's cipher identifier to the partial update endpoint. Although the standard retrieval API correctly blocks such access, the update endpoint returns a 200 OK response and leaks the full cipher details—including name, notes, data, and secure note information—effectively enabling the attacker to read confidential data belonging to a different user. This issue stems from an authorization bypass (CWE-639) and represents a moderate severity confidentiality violation as the attacker gains unauthorized read access to encrypted data without modifying or deleting it.

Affected Systems

Vaultwarden, an unofficial Bitwarden-compatible server written in Rust, is affected when running any version older than 1.35.4. The vulnerability applies to all deployments of the dani-garcia:vaultwarden product, regardless of the environment or configuration, as long as the user is authenticated and has a valid session.

Risk and Exploitability

Based on the description, the likely attack vector is an authenticated user sending a request to the partial update API with a chosen cipher identifier. The CVSS score of 5.4 reflects moderate risk, while the EPSS score is less than 1 %, indicating a very low likelihood of widespread exploitation at present. The vulnerability is not classified in the CISA KEV catalog. The attack likely requires a legitimate authenticated user who can interact with the Vaultwarden API. Since the partial update endpoint accepts a cipher identifier, a malicious user can enumerate or guess valid identifiers or target known IDs. The internal exploit does not require elevated privileges or external network exposure, making the risk mainly confined to environments where user accounts are actively used.

Generated by OpenCVE AI on April 17, 2026 at 13:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vaultwarden to version 1.35.4 or later to eliminate the partial update data leak
  • Audit and monitor API activity for unexpected partial update calls to detect potential abuse
  • Implement network segmentation or firewall rules to limit API exposure to trusted hosts or VPNs

Generated by OpenCVE AI on April 17, 2026 at 13:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w9f8-m526-h7fh Vaultwarden has Unauthorized Access via Partial Update API on Another User’s Cipher
History

Fri, 06 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:dani-garcia:vaultwarden:*:*:*:*:*:*:*:*

Thu, 05 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Dani-garcia
Dani-garcia vaultwarden
Vendors & Products Dani-garcia
Dani-garcia vaultwarden

Wed, 04 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, an authenticated regular user can specify another user’s cipher_id and call "PUT /api/ciphers/{id}/partial" Even though the standard retrieval API correctly denies access to that cipher, the partial update endpoint returns 200 OK and exposes cipherDetails (including name, notes, data, secureNote, etc.). This issue has been patched in version 1.35.4.
Title Vaultwarden: Unauthorized Access via Partial Update API on Another User’s Cipher
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Dani-garcia Vaultwarden
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-05T15:42:31.635Z

Reserved: 2026-02-24T15:19:29.717Z

Link: CVE-2026-27898

cve-icon Vulnrichment

Updated: 2026-03-05T15:29:19.983Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T22:16:18.373

Modified: 2026-03-06T19:45:12.067

Link: CVE-2026-27898

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-04T21:44:45Z

Links: CVE-2026-27898 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:15:19Z

Weaknesses