Unauthorized Data Exposure in Vaultwarden Server by Bitwarden
CVE-2026-27898

5.4MEDIUM

Key Information:

Vendor: Dani-garcia
Status: Vaultwarden
Vendor: CVE Published:; 4 March 2026

🔔 Create Dani-garcia Vulnerability Alert

What is CVE-2026-27898?

Vaultwarden, an unofficial server compatible with Bitwarden, has a vulnerability that allows authenticated users to manipulate another user’s cipher data through an insecure API endpoint. Although access to the cipher data is denied via the standard retrieval API, this flaw allows partial updates to expose sensitive information such as names, notes, and secured data. The vulnerability has been addressed in version 1.35.4, emphasizing the importance of keeping software up to date to prevent unauthorized data exposure.

Affected Version(s)

vaultwarden < 1.35.4

References

https://github.com/dani-garcia/vaultwarden/security/advis...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 4, 2026
Vulnerability Reserved
Feb 24, 2026

CVE-2026-27898 Data

JSON