Access Control Flaw in Vaultwarden Affects User Data Management
CVE-2026-43912

8.7HIGH

Key Information:

Vendor

Dani-garcia

Status
Vaultwarden
Vendor
CVE Published:
11 May 2026

What is CVE-2026-43912?

Vaultwarden, a Bitwarden-compatible server, has a security flaw in its group management system. Prior to version 1.35.5, it fails to enforce organization-specific restrictions for user groups and collection entries. This could allow a user with administrative privileges in one organization to manipulate group memberships across different organizations without appropriate verification. Consequently, an attacker could gain unauthorized access to sensitive data by binding foreign organization memberships, leading to potential data leaks and breaches. This flaw was addressed in version 1.35.5, enhancing organizational security.

Affected Version(s)

vaultwarden < 1.35.5

References

https://github.com/dani-garcia/vaultwarden/security/advis...
x_refsource_CONFIRM

CVSS V3.1

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.