CVE-2026-43912
Vaultwarden Organization Group Access Control Bypass
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vaultwarden | vaultwarden | 1.35.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Vaultwarden versions prior to 1.35.5. Vaultwarden does not properly verify that certain group and collection membership entries belong to the same organization. Specifically, it fails to enforce that a groups_users.users_organizations_uuid entry matches the organization of groups.groups_uuid, and similarly for collections_groups.collections_uuid and collections_groups.groups_uuid.
Because of this, an attacker who is an Admin in one organization (Organization A) but only a low-privileged member in another organization (Organization B) can exploit this flaw. They can bind their membership UUID from Organization B into a group in Organization A, thereby gaining unauthorized access to Organization B's vault data through Organization A's group.
With an accessAll=true group in Organization A, the attacker can use API endpoints like /api/sync and /api/ciphers to enumerate and access Organization B's cipher data. After discovering Organization B's collection IDs, the attacker can also bind those foreign collection IDs to the Organization A group, escalating their access to write permissions over Organization B's items.
This vulnerability was fixed in Vaultwarden version 1.35.5.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access and modification of sensitive data stored in Vaultwarden vaults across different organizations.
- An attacker with admin rights in one organization can gain unauthorized read access to vault data in another organization where they have low privileges.
- The attacker can enumerate sensitive cipher data and collection IDs belonging to another organization.
- The attacker can escalate privileges to write access on another organization's vault items by exploiting the binding flaw.
Overall, this can lead to data breaches, loss of confidentiality, and unauthorized data manipulation.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in Vaultwarden version 1.35.5. The immediate step to mitigate this vulnerability is to upgrade Vaultwarden to version 1.35.5 or later.