Two high-severity vulnerabilities have been discovered in Vaultwarden, a widely used alternative Bitwarden server implementation written in Rust.
These security flaws, tracked as CVE-2026-27803 and CVE-2026-27802, allow compromised Manager accounts to bypass authorization checks, escalate privileges, and expose sensitive stored credentials.
Both vulnerabilities carry a High severity rating with network-based attack vectors that require low complexity and absolutely no user interaction.
They currently affect Vaultwarden version 1.35.3, and organizations are strongly urged to update to the patched version 1.35.4 immediately to secure their environments.
Collection Management Bypass (CVE-2026-27803)
Published by GitHub user dani-garcia, the first vulnerability involves improper authorization and privilege management.
In a secure Vaultwarden environment, a Manager account requires specific permissions to alter a password collection.
However, security testing confirmed that if a Manager simply has baseline access to a collection, they can execute administrative commands even when explicitly restricted by a manage=false setting.
By sending targeted HTTP requests to the server, an attacker with a low-level Manager account can completely bypass intended access controls.
They can successfully modify organizational collections, update user assignments, or outright delete the collection without triggering authorization blocks.
This flaw creates a profound security risk across confidentiality, integrity, and availability.
Attackers can effortlessly expand their access scope to expose confidential credentials, tamper with critical access control settings, and disrupt daily business operations by deleting essential enterprise password collections.
Bulk-Access Privilege Escalation (CVE-2026-27802)
The second high-severity flaw, initially reported by security researcher odgrso, enables direct privilege escalation via Vaultwarden’s bulk-access API.
A Manager account without global access permissions (access_all=false) can abuse this endpoint to target collections that were never assigned to them.
By maliciously manipulating the bulk-access API, an attacker can change their assignment status from false to true, instantly granting themselves unauthorized access to highly restricted areas.
This vulnerability exposes a critical authorization gap at the HTTP level. Standard single-update API calls successfully identified and blocked these unauthorized actions, returning a standard 401 Unauthorized error.
However, the bulk-access API completely bypassed these security checks. Worse still, once the unauthorized bulk update was executed, the regular API surprisingly began accepting the changes as well.
This exploit heavily compromises data confidentiality and integrity, allowing rogue actors to view restricted credentials and potentially lock out legitimate users by maliciously removing their assignments.
To mitigate both of these network-based threats, administrators must patch their systems to Vaultwarden 1.35.4.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
