CVE-2026-33420
Analyzed Analyzed - Analysis Complete
Authorization Bypass in Vaultwarden Collections

Publication date: 2026-05-05

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
Vaultwarden is a Bitwarden-compatible server written in Rust. In version 1.35.4 and earlier, the get_org_collections_details endpoint (GET /api/organizations/{org_id}/collections/details) is missing the has_full_access() authorization check that exists on the sibling get_org_collections endpoint. This allows any Manager-role user with accessAll=False and no collection assignments to retrieve the names, UUIDs, user-to-collection mappings, and group-to-collection mappings for all collections in the organization. This issue has been fixed in version 1.35.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-08
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33420
EUVD
EUVD-2026-27448
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dani-garcia vaultwarden to 1.35.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Vaultwarden versions 1.35.4 and earlier, specifically in the get_org_collections_details endpoint. The endpoint is missing an important authorization check called has_full_access() that is present in a similar endpoint. Because of this, any user with the Manager role who does not have full access and no collection assignments can still retrieve sensitive information about all collections in the organization.

  • The exposed information includes collection names, UUIDs, user-to-collection mappings, and group-to-collection mappings.

This flaw violates the principle of least privilege by allowing unauthorized enumeration of organizational collections, potentially aiding attackers in mapping organizational structures and user access patterns.

The issue was fixed in Vaultwarden version 1.35.5.

Impact Analysis

This vulnerability can impact you by allowing a Manager-role user without full access to gain unauthorized visibility into all collections within your organization.

  • An attacker or unauthorized user could retrieve sensitive metadata such as collection names and mappings between users/groups and collections.
  • This information leakage could facilitate further malicious activities by revealing organizational structure and access patterns.

Overall, it increases the risk of unauthorized data exposure and potential exploitation within your Vaultwarden server.

Detection Guidance

This vulnerability involves unauthorized access to the /api/organizations/{org_id}/collections/details endpoint in Vaultwarden versions 1.35.4 and earlier. Detection can focus on monitoring access to this specific API endpoint.

You can detect potential exploitation attempts by checking server logs or network traffic for GET requests to the endpoint /api/organizations/{org_id}/collections/details made by Manager-role users who should not have full access.

Suggested commands to detect such activity might include:

  • Using grep on server logs to find suspicious API calls: grep "/api/organizations/.*/collections/details" /path/to/vaultwarden/logs/access.log
  • Using network monitoring tools like tcpdump or Wireshark to filter HTTP GET requests to the vulnerable endpoint.
  • Querying Vaultwarden audit logs (if enabled) for Manager-role users accessing the collections details endpoint without proper collection assignments.

Note that no specific detection commands are provided in the resources, so these suggestions are based on typical methods to monitor API endpoint access.

Mitigation Strategies

The primary mitigation step is to upgrade Vaultwarden to version 1.35.5 or later, where this vulnerability has been fixed by adding the missing authorization check.

Version 1.35.5 includes the patch that enforces the has_full_access() authorization check on the /api/organizations/{org_id}/collections/details endpoint, preventing unauthorized enumeration of collections.

Additionally, users are advised to review access permissions for Manager-role users and ensure that no users have inappropriate access settings such as accessAll=False with no collection assignments.

Applying the update promptly is critical to prevent attackers from exploiting this vulnerability to map organizational structures and user access patterns.

Compliance Impact

The vulnerability allows Manager-role users without full access to retrieve sensitive organizational data such as collection names, UUIDs, and user-to-collection mappings. This unauthorized data exposure could lead to violations of data protection principles like least privilege and data minimization, which are important for compliance with standards such as GDPR and HIPAA.

By enabling unauthorized access to organizational structure and user access patterns, the vulnerability increases the risk of data breaches or misuse of sensitive information, potentially impacting compliance with regulations that require strict access controls and protection of personal or sensitive data.

The issue has been fixed in version 1.35.5, and users are strongly advised to update to mitigate these risks and maintain compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33420. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart