CVE-2026-27802 PUBLISHED

Vaultwarden: Privilege Escalation via Bulk Permission Update to Unauthorized Collections by Manager

Assigner: GitHub_M
Reserved: 24.02.2026 Published: 04.03.2026 Updated: 05.03.2026

Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, there is a privilege escalation vulnerability via bulk permission update to unauthorized collections by Manager. This issue has been patched in version 1.35.4.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CVSS Score: 8.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	dani-garcia
Product	vaultwarden
Versions	Version < 1.35.4 is affected

References

https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-r32r-j5jq-3w4m

Problem Types

CWE-269: Improper Privilege Management CWE
CWE-863: Incorrect Authorization CWE