{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27802", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-24T02:31:33.266Z", "datePublished": "2026-03-04T21:34:34.992Z", "dateUpdated": "2026-03-05T15:42:42.152Z"}, "containers": {"cna": {"title": "Vaultwarden: Privilege Escalation via Bulk Permission Update to Unauthorized Collections by Manager", "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-r32r-j5jq-3w4m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-r32r-j5jq-3w4m"}], "affected": [{"vendor": "dani-garcia", "product": "vaultwarden", "versions": [{"version": "< 1.35.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-04T21:34:34.992Z"}, "descriptions": [{"lang": "en", "value": "Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, there is a privilege escalation vulnerability via bulk permission update to unauthorized collections by Manager. This issue has been patched in version 1.35.4."}], "source": {"advisory": "GHSA-r32r-j5jq-3w4m", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-05T15:32:48.949245Z", "id": "CVE-2026-27802", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T15:42:42.152Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27802", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-05T15:32:48.949245Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T15:32:50.060Z"}}], "cna": {"title": "Vaultwarden: Privilege Escalation via Bulk Permission Update to Unauthorized Collections by Manager", "source": {"advisory": "GHSA-r32r-j5jq-3w4m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "dani-garcia", "product": "vaultwarden", "versions": [{"status": "affected", "version": "< 1.35.4"}]}], "references": [{"url": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-r32r-j5jq-3w4m", "name": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-r32r-j5jq-3w4m", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, there is a privilege escalation vulnerability via bulk permission update to unauthorized collections by Manager. This issue has been patched in version 1.35.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-04T21:34:34.992Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27802", "state": "PUBLISHED", "dateUpdated": "2026-03-05T15:42:42.152Z", "dateReserved": "2026-02-24T02:31:33.266Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-04T21:34:34.992Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dani-garcia:vaultwarden:*:*:*:*:*:*:*:*", "matchCriteriaId": "3EE3AB66-F61B-479C-A6C3-C2EEEB6FD55A", "versionEndExcluding": "1.35.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, there is a privilege escalation vulnerability via bulk permission update to unauthorized collections by Manager. This issue has been patched in version 1.35.4."}], "id": "CVE-2026-27802", "lastModified": "2026-03-06T19:45:31.713", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-04T22:16:18.057", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-r32r-j5jq-3w4m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}, {"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "vaultwarden: Vaultwarden: Privilege Escalation via Unauthorized Bulk Permission Update", "id": "2444676", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444676"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-266", "details": ["No description is available for this CVE."], "name": "CVE-2026-27802", "public_date": "2026-03-04T21:34:34Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27802\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27802\nhttps://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-r32r-j5jq-3w4m"], "statement": "This IMPORTANT privilege escalation vulnerability in Vaultwarden allows a Manager to update permissions for unauthorized collections via the bulk update functionality. Exploitation requires network access and a Manager-level account (PR:L). Impact includes high confidentiality loss (access to restricted collections) and high integrity loss (permission modification). Affects versions prior to 1.35.4. Red Hat does not ship Vaultwarden.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.35.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "vaultwarden", "source": "cna", "vendor": "dani-garcia"}, "product": "vaultwarden", "vendor": "dani-garcia"}], "analysis": {"en": {"generated_at": "2026-04-17T13:01:56.513228+00:00", "value": {"mitigation_remediation": ["Upgrade Vaultwarden to version\u202f1.35.4 or later, where the bulk permission update logic has been corrected.", "If an upgrade cannot be performed immediately, restrict Manager role permissions to prevent bulk permission updates, or temporarily disable the bulk update endpoint through configuration or custom middleware.", "Monitor audit logs for abnormal bulk permission changes and enforce least\u2011privilege access controls on collection management."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "All installations of Vaultwarden prior to version\u202f1.35.4 are affected. The vulnerability applies to the officially published releases by the maintainer, dani\u2011garcia. Users running any older release of the server should confirm whether the build includes the unpatched logic and consider upgrading to a fixed version.", "description_and_impact": "Vaultwarden, an unofficial Bitwarden compatible server, suffers from a privilege escalation flaw that allows a Manager to perform bulk permission updates on collections they are not authorized to access. This defect enables an authenticated Manager to grant access to confidential data or elevate other users\u2019 privileges without proper authorization. The vulnerability is rooted in a flaw in the permission update logic, which is categorized under CWE\u2011266, CWE\u2011269, and CWE\u2011863.", "risk_and_exploitability": "The flaw scores an 8.3 on the CVSS scale, indicating a high severity and wide impact if leveraged. The EPSS score is less than 1\u202f%, suggesting that the probability of public exploitation is low at present, and the vulnerability is not listed in the CISA KEV catalog. An attacker who has performed a Manager\u2011level authentication can exploit the flaw by sending a bulk permission update request to the API; no other special conditions are documented in the advisory. While the likelihood is currently low, the high severity warrants immediate attention."}}}}, "created": "2026-03-05T09:05:45.062390+00:00", "updated": "2026-04-17T13:15:19.649525+00:00", "vendors": ["dani-garcia", "dani-garcia$PRODUCT$vaultwarden"]}