{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26012", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T21:36:29.553Z", "datePublished": "2026-02-11T21:14:58.102Z", "dateUpdated": "2026-02-12T21:15:25.318Z"}, "containers": {"cna": {"title": "vaultwarden has Full Cipher Enumeration Ignoring Organization Collection Permissions", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h265-g7rm-h337", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h265-g7rm-h337"}, {"name": "https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.3"}], "affected": [{"vendor": "dani-garcia", "product": "vaultwarden", "versions": [{"version": "< 1.35.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-11T21:14:58.102Z"}, "descriptions": [{"lang": "en", "value": "vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to 1.35.3, a regular organization member can retrieve all ciphers within an organization, regardless of collection permissions. The endpoint /ciphers/organization-details is accessible to any organization member and internally uses Cipher::find_by_org to retrieve all ciphers. These ciphers are returned with CipherSyncType::Organization without enforcing collection-level access control. This vulnerability is fixed in 1.35.3."}], "source": {"advisory": "GHSA-h265-g7rm-h337", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-12T21:15:06.556593Z", "id": "CVE-2026-26012", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T21:15:25.318Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "vaultwarden has Full Cipher Enumeration Ignoring Organization Collection Permissions", "source": {"advisory": "GHSA-h265-g7rm-h337", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "dani-garcia", "product": "vaultwarden", "versions": [{"status": "affected", "version": "< 1.35.3"}]}], "references": [{"url": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h265-g7rm-h337", "name": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h265-g7rm-h337", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.3", "name": "https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to 1.35.3, a regular organization member can retrieve all ciphers within an organization, regardless of collection permissions. The endpoint /ciphers/organization-details is accessible to any organization member and internally uses Cipher::find_by_org to retrieve all ciphers. These ciphers are returned with CipherSyncType::Organization without enforcing collection-level access control. This vulnerability is fixed in 1.35.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-11T21:14:58.102Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26012", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-12T21:15:06.556593Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-02-12T21:15:21.617Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-26012", "state": "PUBLISHED", "dateUpdated": "2026-02-11T21:14:58.102Z", "dateReserved": "2026-02-09T21:36:29.553Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-11T21:14:58.102Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dani-garcia:vaultwarden:*:*:*:*:*:*:*:*", "matchCriteriaId": "79A968D5-FAC8-49BF-8FA6-8F54218D1875", "versionEndExcluding": "1.35.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to 1.35.3, a regular organization member can retrieve all ciphers within an organization, regardless of collection permissions. The endpoint /ciphers/organization-details is accessible to any organization member and internally uses Cipher::find_by_org to retrieve all ciphers. These ciphers are returned with CipherSyncType::Organization without enforcing collection-level access control. This vulnerability is fixed in 1.35.3."}], "id": "CVE-2026-26012", "lastModified": "2026-02-13T21:41:01.003", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-11T22:15:51.703", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.3"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h265-g7rm-h337"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "vaultwarden: Vaultwarden: Information disclosure due to bypassed collection permissions", "id": "2439184", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439184"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-1220", "details": ["A flaw was found in vaultwarden, an unofficial Bitwarden compatible server. A regular organization member can retrieve all ciphers (encrypted data) within an organization, bypassing collection-level access controls. This allows for unauthorized information disclosure, potentially exposing sensitive data."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-26012", "public_date": "2026-02-11T21:14:58Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-26012\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-26012\nhttps://github.com/dani-garcia/vaultwarden/releases/tag/1.35.3\nhttps://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h265-g7rm-h337"], "statement": "MODERATE: This flaw allows an authenticated organization member to bypass collection permissions and enumerate all ciphers within a Vaultwarden organization. This could lead to unauthorized disclosure of sensitive information. Red Hat does not ship Vaultwarden as part of its products; however, customers deploying Vaultwarden in their environment may be affected.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.35.3)"}}], "product": "vaultwarden", "vendor": "dani-garcia"}], "analysis": {"en": {"generated_at": "2026-04-17T20:10:28.695991+00:00", "value": {"mitigation_remediation": ["Upgrade vaultwarden to version 1.35.3 or later to apply the fix.", "If an upgrade cannot be performed immediately, modify the API configuration to restrict /ciphers/organization-details so that only administrators can access it, thereby restoring collection\u2011level enforcement.", "After applying the upgrade or configuration change, monitor API logs for unexpected enumeration activity and review organization permissions to ensure no lingering exposure."], "summary": {"action": "Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Instances of vaultwarden running any version prior to 1.35.3 are affected. The vulnerability exists in all releases from the earliest stable build up to 1.35.2 and is resolved in v1.35.3 and later. Administrators should verify the running image tag or package version to determine exposure.", "description_and_impact": "vaultwarden, an unofficial Bitwarden-compatible server, contains an authenticated flaw that allows any organization member to retrieve all ciphers within an organization, disregarding collection permissions. This exposes confidential data such as passwords, notes, and encrypted secrets, providing attackers with a full set of organizational credentials. The weakness stems from a permissive use of Cipher::find_by_org without enforcing collection-level checks, and is classified as CWE\u20111220 and CWE\u2011863.", "risk_and_exploitability": "The CVSS base score of 6.5 indicates a medium impact, while an EPSS score of less than 1% suggests a very low likelihood of observed exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers require legitimate authentication as an organization member to exploit the flaw, using the /ciphers/organization-details endpoint to gain unrestricted access to all ciphers without additional privileges or network compromise."}}}}, "created": "2026-02-12T09:03:15.033989+00:00", "updated": "2026-04-17T20:15:27.003703+00:00", "vendors": ["dani-garcia", "dani-garcia$PRODUCT$vaultwarden"]}