CVE-2024-56335

Name of the Vulnerable Software and Affected Versions vaultwarden versions prior to 1.32.7

Description The issue allows an attacker to update or delete groups from an organization under certain conditions: the attacker has a user account in the server, the attacker's account has admin or owner permissions in an unrelated organization, and the attacker knows the target organization's UUID and the target group's UUID. This can lead to denial of service or privilege escalation. The attack is only applicable for servers with the ORG GROUPS ENABLED setting enabled, which is disabled by default.

Recommendations For versions prior to 1.32.7, update to version 1.32.7 as soon as possible. If updating to 1.32.7 is not possible, consider disabling the ORG GROUPS ENABLED setting to disable groups functionality on the server. Alternatively, disabling SIGNUPS ALLOWED can prevent an attacker from creating new accounts on the server.