CVE-2026-27802

Summary

Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, there is a privilege escalation vulnerability via bulk permission update to unauthorized collections by Manager. This issue has been patched in version 1.35.4.

Affected Software

VendorProductVersion RangeStatus
dani-garciavaultwarden< 1.35.4affected

Weaknesses

  • CWE-269: CWE-269: Improper Privilege Management
  • CWE-863: CWE-863: Incorrect Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References