anonhaven
Ad

CVE-2026-27803

HIGH CVSS 3.1: 8.3 EPSS 0.05%
Updated Mar 05, 2026
Vaultwarden
Parameter Value
CVSS 8.3 (HIGH)
Fixed In 1.35.4
Type CWE-285 (Improper Authorization), CWE-863 (Incorrect Authorization), CWE-269 (Improper Privilege Management)
Vendor Vaultwarden
Public PoC No

Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, when a Manager has manage=false for a given collection, they can still perform several management operations as long as they have access to the collection. This issue has been patched in version 1.35.4.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
Low
Partial disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-285 Improper Authorization
CWE-863 Incorrect Authorization
CWE-269 Improper Privilege Management

References 1

https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h4hq-rgvh-w…
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-27898

Vaultwarden

5.4

CVE-2026-27802

Vaultwarden

8.3