Skip to content

Vaultwarden has Privilege Escalation via Bulk Permission Update to Unauthorized Collections by Manager

High severity GitHub Reviewed Published Mar 4, 2026 in dani-garcia/vaultwarden

Package

cargo vaultwarden (Rust)

Affected versions

<= 1.35.3

Patched versions

1.35.4

Description

Summary

A Manager account (access_all=false) was able to escalate privileges by directly invoking the bulk-access API against collections that were not originally assigned to them.
The API allowed changing assigned=false to assigned=true, resulting in unauthorized access.

Additionally, prior to the bulk-access call, the regular single-update API correctly returned 401 Unauthorized for the same collection. After executing the bulk-access API, the same update API returned 200 OK, confirming an authorization gap at the HTTP level.

Description

  • The endpoint accepts ManagerHeadersLoose and does not validate access rights for the specified collectionIds.
    src/api/core/organizations.rs:551

    headers: ManagerHeadersLoose,

  • The received collection_ids are processed directly without per-collection authorization checks.
    src/api/core/organizations.rs:564

    for col_id in data.collection_ids {

  • Existing group assignments for the collection are deleted.
    src/api/core/organizations.rs:583

    CollectionGroup::delete_all_by_collection(&col_id, &conn).await?;

  • Existing user assignments for the collection are deleted.
    src/api/core/organizations.rs:590

    CollectionUser::delete_all_by_collection(&col_id, &conn).await?;

  • By comparison, another bulk-processing endpoint performs per-collection validation using from_loose.
    src/api/core/organizations.rs:787

    let headers = ManagerHeaders::from_loose(headers, &collections, &conn).await?;

  • The actual access control logic is implemented in can_access_collection, which is not invoked in the bulk-access endpoint.
    src/auth.rs:911

    if !Collection::can_access_collection(&h.membership, col_id, conn).await {

Preconditions

  • The attacker possesses a valid Manager account within the target organization.
  • The organization contains collections that are not assigned to the attacker.
  • The attacker can authenticate through the standard API login process (Owner/Admin privileges are not required).

Steps to Reproduce

  1. Log in as a Manager and obtain a Bearer token.

image

  1. Confirm the current values of assigned, manage, readOnly, and hidePasswords for the target collection.

image

  1. Verify that the standard update API returns 401 Unauthorized when attempting to modify the unassigned collection.

image

  1. Invoke the bulk-access API, including:

image

  • collectionIds containing the target collection
  • users containing the attacker’s own membership_id
    Confirm that the API returns 200 OK.
  1. Re-run the standard update API.
    Confirm that it now succeeds and that the previously unauthorized modification is applied.

image

Required Minimum Privileges

  • Manager role within the target organization
    (the issue occurs even when access_all=false)

Attack Scenario

A delegated administrator or department-level Manager within an organization directly calls the API to add themselves to unauthorized collections and gain access to confidential information.

Because the bulk update process deletes and reassigns existing permissions, the attacker can also remove other users’ access, enabling denial-of-service or sabotage within the organization.

Potential Impact

  • Confidentiality: Unauthorized access to sensitive information within restricted collections.
  • Integrity: Unauthorized modification of collection permission settings and arbitrary changes to access controls.
  • Availability: Deletion of existing assignments may cause legitimate users to lose access.

References

@dani-garcia dani-garcia published to dani-garcia/vaultwarden Mar 4, 2026
Published to the GitHub Advisory Database Mar 4, 2026
Reviewed Mar 4, 2026

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(13th percentile)

Weaknesses

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. Learn more on MITRE.

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. Learn more on MITRE.

CVE ID

CVE-2026-27802

GHSA ID

GHSA-r32r-j5jq-3w4m

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.