CVE-2026-27898 PUBLISHED

Vaultwarden: Unauthorized Access via Partial Update API on Another User’s Cipher

Assigner: GitHub_M
Reserved: 24.02.2026 Published: 04.03.2026 Updated: 05.03.2026

Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, an authenticated regular user can specify another user’s cipher_id and call "PUT /api/ciphers/{id}/partial" Even though the standard retrieval API correctly denies access to that cipher, the partial update endpoint returns 200 OK and exposes cipherDetails (including name, notes, data, secureNote, etc.). This issue has been patched in version 1.35.4.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CVSS Score: 5.4

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	dani-garcia
Product	vaultwarden
Versions	Version < 1.35.4 is affected

References

https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-w9f8-m526-h7fh

Problem Types

CWE-639: Authorization Bypass Through User-Controlled Key CWE