CVE-2024-39924
📋 TL;DR
This vulnerability allows an attacker with emergency access to a Vaultwarden vault to escalate privileges from read-only to full control. By exploiting a missing authentication check in the emergency access metadata endpoint, attackers can modify access levels and bypass wait periods. This affects all Vaultwarden instances running vulnerable versions where emergency access features are enabled.
💻 Affected Systems
- Vaultwarden (formerly Bitwarden_RS)
📦 What is this software?
Vaultwarden by Dani Garcia
⚠️ Risk & Real-World Impact
Worst Case
An attacker with emergency access can gain full administrative control over the entire password vault, potentially compromising all stored credentials, secure notes, and sensitive data.
Likely Case
Malicious or compromised emergency access contacts can elevate their privileges to steal or manipulate vault contents without the legitimate owner's knowledge.
If Mitigated
With proper access controls and monitoring, the impact is limited to unauthorized privilege escalation within the emergency access framework.
🎯 Exploit Status
Exploitation requires having emergency access credentials. The vulnerability is in the API endpoint logic, making exploitation straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.32.0
Vendor Advisory: https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.0
Restart Required: Yes
Instructions:
1. Backup your Vaultwarden data and configuration. 2. Stop the Vaultwarden service. 3. Update to version 1.32.0 or later using your preferred installation method (Docker, binary, package manager). 4. Restart the Vaultwarden service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Disable Emergency Access
allTemporarily disable emergency access features to prevent exploitation while planning upgrade.
Set EMERGENCY_ACCESS_ALLOWED=false in your Vaultwarden configuration
🧯 If You Can't Patch
- Review and audit all emergency access grants, removing any unnecessary or suspicious access.
- Implement network segmentation and access controls to limit who can reach the Vaultwarden instance.
🔍 How to Verify
Check if Vulnerable:
Check if running Vaultwarden version 1.30.3 or earlier with emergency access enabled.Check Version:
docker exec vaultwarden vaultwarden --version || ./vaultwarden --versionVerify Fix Applied:
Confirm Vaultwarden version is 1.32.0 or later and emergency access functionality works correctly without allowing privilege escalation.📡 Detection & Monitoring
Log Indicators:
- Unusual emergency access modifications
- Multiple emergency access metadata update attempts
- Emergency access level changes from read to write
Network Indicators:
- API calls to /api/emergency-access/{id} with PUT method modifying access type or wait time
SIEM Query:
source="vaultwarden" AND (uri_path="/api/emergency-access/*" AND http_method="PUT") AND (request_body LIKE "%access_type%" OR request_body LIKE "%wait_time_days%")