Description
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden does not enforce that a groups_users.users_organizations_uuid entry belongs to the same organization as groups.groups_uuid, or a collections_groups.collections_uuid entry belongs to the same organization as collections_groups.groups_uuid. Multiple organization group-management endpoints accept arbitrary MembershipId and CollectionId values and persist them directly without verifying org consistency. This lets an attacker who is Admin in Organization A, and only a low-privileged member in Organization B bind their Org B membership UUID into an Org A group, then use that foreign group relationship to gain unauthorized access to Org B vault data. With an accessAll=true Org A group, the attacker can make /api/sync and /api/ciphers enumerate Org B ciphers. Once those unauthorized sync results reveal Org B collection IDs, the attacker can also bind those foreign collection IDs to the Org A group and turn the same flaw into write access over Org B items. This vulnerability is fixed in 1.35.5.
Published: 2026-05-11
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Vaultwarden’s group management allows an administrator in one organization to bind a membership or collection UUID from another organization into a group of the first organization. The flaw is a case of improper authorization (CWE‑285) that lets the attacker read and possibly write data from the target organization. The attacker can use an Org‑wide group with the accessAll flag to sync and enumerate collections, then bind those collection IDs through the same vulnerability to gain write access to items in the other organization.

Affected Systems

The vulnerability affects the Vaultwarden project developed by dani‑garcia. It impacts all releases prior to 1.35.5; versions 1.35.5 and later contain the necessary checks that enforce organization consistency for group and collection relationships.

Risk and Exploitability

The CVSS score of 8.7 classifies the issue as high severity. EPSS data is not available, so the probability of exploitation cannot be quantified from that metric, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the issue by interacting with group‑management endpoints that accept arbitrary MembershipId and CollectionId values without verifying organization consistency; no additional privileges beyond being an organization administrator and a low‑level member in the target organization are required.

Generated by OpenCVE AI on May 12, 2026 at 00:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Vaultwarden version 1.35.5 or newer to restore organization consistency checks in group and collection binding.
  • After upgrading, restrict the use of group‑management endpoints so that only administrators of a given organization can bind groups or collections, and consider disabling or rate‑limiting endpoints that accept arbitrary MembershipId or CollectionId inputs until a full audit confirms no residual cross‑org bindings.
  • Perform a post‑patch audit of existing groups and collections to identify and remove any relationships that were created while the vulnerability existed, ensuring that no foreign organization IDs remain bound to an organization’s groups or collections.

Generated by OpenCVE AI on May 12, 2026 at 00:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Dani-garcia
Dani-garcia vaultwarden
Vendors & Products Dani-garcia
Dani-garcia vaultwarden

Mon, 11 May 2026 22:30:00 +0000

Type Values Removed Values Added
Description Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden does not enforce that a groups_users.users_organizations_uuid entry belongs to the same organization as groups.groups_uuid, or a collections_groups.collections_uuid entry belongs to the same organization as collections_groups.groups_uuid. Multiple organization group-management endpoints accept arbitrary MembershipId and CollectionId values and persist them directly without verifying org consistency. This lets an attacker who is Admin in Organization A, and only a low-privileged member in Organization B bind their Org B membership UUID into an Org A group, then use that foreign group relationship to gain unauthorized access to Org B vault data. With an accessAll=true Org A group, the attacker can make /api/sync and /api/ciphers enumerate Org B ciphers. Once those unauthorized sync results reveal Org B collection IDs, the attacker can also bind those foreign collection IDs to the Org A group and turn the same flaw into write access over Org B items. This vulnerability is fixed in 1.35.5.
Title Vaultwarden: Cross-Org Group Binding Enables Unauthorized Read And Write Access Into Another Organization
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Dani-garcia Vaultwarden
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T13:19:50.689Z

Reserved: 2026-05-04T16:11:33.086Z

Link: CVE-2026-43912

cve-icon Vulnrichment

Updated: 2026-05-12T13:19:33.715Z

cve-icon NVD

Status : Received

Published: 2026-05-11T23:20:21.980

Modified: 2026-05-12T14:17:07.873

Link: CVE-2026-43912

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T00:15:07Z

Weaknesses