CVE-2026-26012

Name of the Vulnerable Software and Affected Versions vaultwarden versions prior to 1.35.3

Description vaultwarden, an unofficial Bitwarden compatible server written in Rust, previously known as bitwarden rs, had a flaw where a standard organization member could access all ciphers within an organization, bypassing collection permissions. The issue stemmed from the /ciphers/organization-details API endpoint, which utilized the Cipher::find by org function to retrieve all ciphers. These ciphers were returned with CipherSyncType::Organization without proper enforcement of collection-level access control. The organization id variable is used in the vulnerable function.

Recommendations Update to version 1.35.3 or later.