CVE-2026-27898

Name of the Vulnerable Software and Affected Versions Vaultwarden versions prior to 1.35.4

Description Vaultwarden, a Bitwarden compatible server, had a flaw where an authenticated user could access another user’s cipher details by specifying their cipher id in a "PUT" request to the /api/ciphers/{id}/partial API endpoint. While the standard retrieval API correctly enforced access controls, this partial update endpoint did not perform ownership or access control checks before returning cipher details, including sensitive information like name, notes, data, and secureNote. The to json method did not halt processing when access restrictions were not met, leading to the exposure of detailed responses. The vulnerability exists because the put cipher partial function retrieves the target Cipher but does not perform ownership or access control checks before returning a JSON representation of the cipher. The response from the /api/ciphers/{id}/partial endpoint includes attachments[].url, which in filesystem deployments returns a tokenized endpoint and in object storage deployments returns a short-lived pre-signed URL, potentially allowing unauthorized download of attachment data. This could lead to the unauthorized disclosure of sensitive information, including personal data and authentication credentials.

Recommendations Vaultwarden versions prior to 1.35.4 are vulnerable. Upgrade to Vaultwarden version 1.35.4 or later to resolve this issue.