Description
Vaultwarden is a Bitwarden-compatible server written in Rust. In version 1.35.4 and earlier, the get_org_collections_details endpoint (GET /api/organizations/{org_id}/collections/details) is missing the has_full_access() authorization check that exists on the sibling get_org_collections endpoint. This allows any Manager-role user with accessAll=False and no collection assignments to retrieve the names, UUIDs, user-to-collection mappings, and group-to-collection mappings for all collections in the organization. This issue has been fixed in version 1.35.5.
Published: 2026-05-05
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authorization check in the get_org_collections_details endpoint of Vaultwarden allows any user with Manager role but no collection assignments to request collection metadata. The flaw exposes collection names, UUIDs, user-to-collection mappings, and group-to-collection mappings for all collections in an organization, giving attackers insight into the structure and potentially sensitive grouping of records. The weakness is classified as CWE-862 (Missing Authorization Check).

Affected Systems

The vulnerability affects Vaultwarden versions 1.35.4 and earlier, developed by dani-garcia. Users running these releases in any organization with Manager‑role users are at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate impact. No EPSS score is available and the flaw is not listed in the CISA KEV catalog. The attack vector is an authenticated user who holds Manager privileges; no external network access or elevated privileges beyond the role are required. An attacker could enumerate collection details and map organizational structure, potentially aiding future targeting or data exfiltration.

Generated by OpenCVE AI on May 5, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vaultwarden to version 1.35.5 or later, which includes the missing authorization check.
  • Deploy the updated release and restart the Vaultwarden service to ensure the patch takes effect.
  • Review and tighten Manager role assignments to limit the number of users who can enumerate collections in each organization.

Generated by OpenCVE AI on May 5, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description Vaultwarden is a Bitwarden-compatible server written in Rust. In version 1.35.4 and earlier, the get_org_collections_details endpoint (GET /api/organizations/{org_id}/collections/details) is missing the has_full_access() authorization check that exists on the sibling get_org_collections endpoint. This allows any Manager-role user with accessAll=False and no collection assignments to retrieve the names, UUIDs, user-to-collection mappings, and group-to-collection mappings for all collections in the organization. This issue has been fixed in version 1.35.5.
Title Vaultwarden missing authorization check allows Manager-role users to enumerate all collections
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-05T19:12:24.969Z

Reserved: 2026-03-19T18:45:22.432Z

Link: CVE-2026-33420

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T20:16:36.483

Modified: 2026-05-05T20:16:36.483

Link: CVE-2026-33420

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T20:30:31Z

Weaknesses