CVE-2026-27898

Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, an authenticated regular user can specify another user’s cipher_id and call "PUT /api/ciphers/{id}/partial" Even though the standard retrieval API correctly denies access to that cipher, the partial update endpoint returns 200 OK and exposes cipherDetails (including name, notes, data, secureNote, etc.). This issue has been patched in version 1.35.4.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-w9f8-m526-h7fh	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:dani-garcia:vaultwarden:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-04 22:16

Updated : 2026-03-06 19:45

NVD link : CVE-2026-27898

Mitre link : CVE-2026-27898

CVE.ORG link : CVE-2026-27898

JSON object : View

Products Affected

dani-garcia

vaultwarden

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2026-27898", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}]}, "published": "2026-03-04T22:16:18.373", "references": [{"url": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-w9f8-m526-h7fh", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, an authenticated regular user can specify another user\u2019s cipher_id and call \"PUT /api/ciphers/{id}/partial\" Even though the standard retrieval API correctly denies access to that cipher, the partial update endpoint returns 200 OK and exposes cipherDetails (including name, notes, data, secureNote, etc.). This issue has been patched in version 1.35.4."}, {"lang": "es", "value": "Vaultwarden es un servidor compatible con Bitwarden no oficial escrito en Rust, anteriormente conocido como bitwarden_rs. Antes de la versi\u00f3n 1.35.4, un usuario regular autenticado puede especificar el cipher_id de otro usuario y llamar a 'PUT /api/ciphers/{id}/partial'. Aunque la API de recuperaci\u00f3n est\u00e1ndar deniega correctamente el acceso a ese cifrado, el endpoint de actualizaci\u00f3n parcial devuelve 200 OK y expone cipherDetails (incluyendo nombre, notas, datos, secureNote, etc.). Este problema ha sido parcheado en la versi\u00f3n 1.35.4."}], "lastModified": "2026-03-06T19:45:12.067", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dani-garcia:vaultwarden:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3EE3AB66-F61B-479C-A6C3-C2EEEB6FD55A", "versionEndExcluding": "1.35.4"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}