CVE-2026-33420
Authorization Bypass in Vaultwarden Collections
Publication date: 2026-05-05
Last updated on: 2026-05-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vaultwarden | vaultwarden | to 1.35.5 (exc) |
| vaultwarden | vaultwarden | 1.35.5 |
| dani-garcia | vaultwarden | 1.35.4 |
| dani-garcia | vaultwarden | 1.35.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Vaultwarden versions 1.35.4 and earlier, specifically in the get_org_collections_details endpoint. The endpoint is missing an important authorization check called has_full_access() that is present in a similar endpoint. Because of this, any user with the Manager role who does not have full access and no collection assignments can still retrieve sensitive information about all collections in the organization.
- The exposed information includes collection names, UUIDs, user-to-collection mappings, and group-to-collection mappings.
This flaw violates the principle of least privilege by allowing unauthorized enumeration of organizational collections, potentially aiding attackers in mapping organizational structures and user access patterns.
The issue was fixed in Vaultwarden version 1.35.5.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing a Manager-role user without full access to gain unauthorized visibility into all collections within your organization.
- An attacker or unauthorized user could retrieve sensitive metadata such as collection names and mappings between users/groups and collections.
- This information leakage could facilitate further malicious activities by revealing organizational structure and access patterns.
Overall, it increases the risk of unauthorized data exposure and potential exploitation within your Vaultwarden server.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized access to the /api/organizations/{org_id}/collections/details endpoint in Vaultwarden versions 1.35.4 and earlier. Detection can focus on monitoring access to this specific API endpoint.
You can detect potential exploitation attempts by checking server logs or network traffic for GET requests to the endpoint /api/organizations/{org_id}/collections/details made by Manager-role users who should not have full access.
Suggested commands to detect such activity might include:
- Using grep on server logs to find suspicious API calls: grep "/api/organizations/.*/collections/details" /path/to/vaultwarden/logs/access.log
- Using network monitoring tools like tcpdump or Wireshark to filter HTTP GET requests to the vulnerable endpoint.
- Querying Vaultwarden audit logs (if enabled) for Manager-role users accessing the collections details endpoint without proper collection assignments.
Note that no specific detection commands are provided in the resources, so these suggestions are based on typical methods to monitor API endpoint access.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Vaultwarden to version 1.35.5 or later, where this vulnerability has been fixed by adding the missing authorization check.
Version 1.35.5 includes the patch that enforces the has_full_access() authorization check on the /api/organizations/{org_id}/collections/details endpoint, preventing unauthorized enumeration of collections.
Additionally, users are advised to review access permissions for Manager-role users and ensure that no users have inappropriate access settings such as accessAll=False with no collection assignments.
Applying the update promptly is critical to prevent attackers from exploiting this vulnerability to map organizational structures and user access patterns.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows Manager-role users without full access to retrieve sensitive organizational data such as collection names, UUIDs, and user-to-collection mappings. This unauthorized data exposure could lead to violations of data protection principles like least privilege and data minimization, which are important for compliance with standards such as GDPR and HIPAA.
By enabling unauthorized access to organizational structure and user access patterns, the vulnerability increases the risk of data breaches or misuse of sensitive information, potentially impacting compliance with regulations that require strict access controls and protection of personal or sensitive data.
The issue has been fixed in version 1.35.5, and users are strongly advised to update to mitigate these risks and maintain compliance.