CVE-2026-43912
Received Received - Intake
Vaultwarden Organization Group Access Control Bypass

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden does not enforce that a groups_users.users_organizations_uuid entry belongs to the same organization as groups.groups_uuid, or a collections_groups.collections_uuid entry belongs to the same organization as collections_groups.groups_uuid. Multiple organization group-management endpoints accept arbitrary MembershipId and CollectionId values and persist them directly without verifying org consistency. This lets an attacker who is Admin in Organization A, and only a low-privileged member in Organization B bind their Org B membership UUID into an Org A group, then use that foreign group relationship to gain unauthorized access to Org B vault data. With an accessAll=true Org A group, the attacker can make /api/sync and /api/ciphers enumerate Org B ciphers. Once those unauthorized sync results reveal Org B collection IDs, the attacker can also bind those foreign collection IDs to the Org A group and turn the same flaw into write access over Org B items. This vulnerability is fixed in 1.35.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-12
EPSS Evaluated
2026-06-20
NVD
CVE-2026-43912
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vaultwarden vaultwarden 1.35.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an attacker with administrative privileges in one organization to gain unauthorized read and write access to another organization's sensitive vault data. Such unauthorized access to confidential information can lead to violations of data protection regulations like GDPR and HIPAA, which mandate strict controls on access to personal and sensitive data.

By enabling cross-organization data exposure and modification without proper authorization, the vulnerability undermines the principles of data confidentiality and integrity required by these standards.

Executive Summary

This vulnerability exists in Vaultwarden versions prior to 1.35.5. Vaultwarden does not properly verify that certain group and collection membership entries belong to the same organization. Specifically, it fails to enforce that a groups_users.users_organizations_uuid entry matches the organization of groups.groups_uuid, and similarly for collections_groups.collections_uuid and collections_groups.groups_uuid.

Because of this, an attacker who is an Admin in one organization (Organization A) but only a low-privileged member in another organization (Organization B) can exploit this flaw. They can bind their membership UUID from Organization B into a group in Organization A, thereby gaining unauthorized access to Organization B's vault data through Organization A's group.

With an accessAll=true group in Organization A, the attacker can use API endpoints like /api/sync and /api/ciphers to enumerate and access Organization B's cipher data. After discovering Organization B's collection IDs, the attacker can also bind those foreign collection IDs to the Organization A group, escalating their access to write permissions over Organization B's items.

This vulnerability was fixed in Vaultwarden version 1.35.5.

Impact Analysis

This vulnerability can lead to unauthorized access and modification of sensitive data stored in Vaultwarden vaults across different organizations.

  • An attacker with admin rights in one organization can gain unauthorized read access to vault data in another organization where they have low privileges.
  • The attacker can enumerate sensitive cipher data and collection IDs belonging to another organization.
  • The attacker can escalate privileges to write access on another organization's vault items by exploiting the binding flaw.

Overall, this can lead to data breaches, loss of confidentiality, and unauthorized data manipulation.

Mitigation Strategies

The vulnerability is fixed in Vaultwarden version 1.35.5. The immediate step to mitigate this vulnerability is to upgrade Vaultwarden to version 1.35.5 or later.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43912. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart