CVE-2026-27803

Name of the Vulnerable Software and Affected Versions Vaultwarden versions prior to 1.35.4

Description Vaultwarden, a Bitwarden compatible server, had a flaw where a Manager with limited permissions (manage=false) for a specific collection could still perform management operations like updating collection details, modifying user access, and even deleting the collection itself, as long as they had general access to the collection. This occurred because the authorization checks only verified collection access, not the manage privilege. The vulnerable API endpoints include: /api/organizations/<org id>/collections/<col id>, /api/organizations/<org id>/collections/<col id>/users, and /api/organizations/<org id>/collections/<col id>. The issue stemmed from the can access collection function not evaluating the manage flag, and the lack of manage checks in the update and deletion endpoints which only accepted ManagerHeaders. An attacker with the Manager role, access to the collection, and manage=false permission could exploit this to escalate their privileges to manage=true or delete the collection, potentially impacting confidentiality, integrity, and availability.

Recommendations Versions prior to 1.35.4 should be updated to version 1.35.4 or later.