{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27803", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-24T02:31:33.266Z", "datePublished": "2026-03-04T21:40:33.495Z", "dateUpdated": "2026-03-05T15:42:36.935Z"}, "containers": {"cna": {"title": "Vaultwarden: Collection Management Operations Allowed Without `manage` Verification for Manager Role", "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h4hq-rgvh-wh27", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h4hq-rgvh-wh27"}], "affected": [{"vendor": "dani-garcia", "product": "vaultwarden", "versions": [{"version": "< 1.35.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-04T21:40:33.495Z"}, "descriptions": [{"lang": "en", "value": "Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, when a Manager has manage=false for a given collection, they can still perform several management operations as long as they have access to the collection. This issue has been patched in version 1.35.4."}], "source": {"advisory": "GHSA-h4hq-rgvh-wh27", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-05T15:32:46.857026Z", "id": "CVE-2026-27803", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T15:42:36.935Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27803", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-05T15:32:46.857026Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T15:32:47.918Z"}}], "cna": {"title": "Vaultwarden: Collection Management Operations Allowed Without `manage` Verification for Manager Role", "source": {"advisory": "GHSA-h4hq-rgvh-wh27", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "dani-garcia", "product": "vaultwarden", "versions": [{"status": "affected", "version": "< 1.35.4"}]}], "references": [{"url": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h4hq-rgvh-wh27", "name": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h4hq-rgvh-wh27", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, when a Manager has manage=false for a given collection, they can still perform several management operations as long as they have access to the collection. This issue has been patched in version 1.35.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285: Improper Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-04T21:40:33.495Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27803", "state": "PUBLISHED", "dateUpdated": "2026-03-05T15:42:36.935Z", "dateReserved": "2026-02-24T02:31:33.266Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-04T21:40:33.495Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dani-garcia:vaultwarden:*:*:*:*:*:*:*:*", "matchCriteriaId": "3EE3AB66-F61B-479C-A6C3-C2EEEB6FD55A", "versionEndExcluding": "1.35.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, when a Manager has manage=false for a given collection, they can still perform several management operations as long as they have access to the collection. This issue has been patched in version 1.35.4."}], "id": "CVE-2026-27803", "lastModified": "2026-03-06T19:45:27.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-04T22:16:18.210", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h4hq-rgvh-wh27"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}, {"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "vaultwarden: Vaultwarden: Unauthorized collection management operations due to improper access control", "id": "2444678", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444678"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "status": "draft"}, "cwe": "CWE-266", "details": ["No description is available for this CVE."], "name": "CVE-2026-27803", "public_date": "2026-03-04T21:40:33Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27803\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27803\nhttps://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h4hq-rgvh-wh27"], "statement": "This IMPORTANT access control bypass in Vaultwarden allows a Manager with manage=false to perform unauthorized management operations on accessible collections. Exploitation requires network access and a Manager account (PR:L). Impact includes high confidentiality loss (unauthorized data access), high integrity loss (unauthorized modifications), and low availability impact (potential limited disruption). Affects versions prior to 1.35.4. Red Hat does not ship Vaultwarden.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.35.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "vaultwarden", "source": "cna", "vendor": "dani-garcia"}, "product": "vaultwarden", "vendor": "dani-garcia"}], "analysis": {"en": {"generated_at": "2026-04-16T13:07:08.079380+00:00", "value": {"mitigation_remediation": ["Upgrade Vaultwarden to version 1.35.4 or later to enforce proper manage flag checks.", "Review all Manager role assignments and remove or restrict the manage flag for collections that do not require full control.", "Audit access logs for anomalous collection operations to detect any residual abuse before the upgrade.", "Implement role\u2011based access controls with least privilege, ensuring that Manager roles are only granted when absolutely necessary."], "summary": {"action": "Patch Immediately", "impact": "Unauthorized Privilege Escalation"}, "threat_synthesis": {"affected_systems": "Any instance of Vaultwarden by dani-garcia running a version earlier than 1.35.4 is affected. The issue exists in all deployments where a Manager role is configured without proper verification of the manage flag. The vulnerability was addressed in the 1.35.4 release and later versions. Vendors and users should verify that they are not running a vulnerable version by checking the current package revision.", "description_and_impact": "The vulnerability is a broken access control flaw that allows users with a Manager role to execute collection management operations even when their manage flag is set to false. The flaw enables unauthorized collection creation, modification, deletion, and membership changes, effectively granting elevated rights within the Vaultwarden instance. The weakness corresponds to several CWE identifiers related to inadequate privilege checks and improper authorization, specifically CWE-266, CWE-269, CWE-285, and CWE-863, yielding a high severity impact.", "risk_and_exploitability": "The CVSS score of 8.3 classifies this flaw as high severity, while the EPSS score of less than 1% indicates a low but nonzero likelihood of exploitation in the wild. It is not listed in the CISA KEV catalog, suggesting no publicly known exploits. The attack vector is likely via authenticated API requests, requiring a pre\u2011existing Manager role. An attacker who compromises such a credential can exploit the collection management loophole to expand their authority, modify or delete data, and potentially facilitate further lateral movement. Given the severity and privileged access involved, the risk is considered significant, especially for systems exposing the API or sharing manager accounts."}}}}, "created": "2026-03-05T09:05:44.209376+00:00", "updated": "2026-04-16T13:15:06.224151+00:00", "vendors": ["dani-garcia", "dani-garcia$PRODUCT$vaultwarden"]}