CVE-2026-27802

Name of the Vulnerable Software and Affected Versions Vaultwarden versions prior to 1.35.4

Description A Manager account with limited permissions was able to gain elevated privileges by using the bulk-access API to modify permissions on collections they were not originally authorized to access. The API endpoint, /api/core/organizations.rs, did not properly validate access rights for specified collection IDs. Specifically, the bulk-access API allowed changing collection assignments from unassigned to assigned, bypassing the standard authorization checks that would normally return a '401 Unauthorized' error. The vulnerability stemmed from the lack of per-collection authorization checks during the bulk update process, unlike other bulk processing endpoints that perform such validation. The vulnerable code is located in src/api/core/organizations.rs lines 551, 564, 583, and 590, and src/auth.rs line 911. An attacker with a valid Manager account could exploit this to gain unauthorized access to sensitive information, modify collection permissions, or disrupt access for legitimate users. The vulnerability requires a Manager account within the target organization and the existence of collections not originally assigned to the attacker.

Recommendations Vaultwarden versions prior to 1.35.4 should be updated to version 1.35.4 or later.