CVE-2024-55226 – Vaultwarden v1.32.5 contains an authenticated r... (How to Fix)

Q: What is the severity of CVE-2024-55226?

CVE-2024-55226 has a CVSS score of 5.4 (MEDIUM). Vaultwarden v1.32.5 contains an authenticated reflected cross-site scripting (XSS) vulnerability in the /api/core/mod.rs component. This allows authenticated attackers to inject malicious scripts that execute in victims' browsers when they visit crafted URLs. Only users running Vaultwarden v1.32.5 are affected.

📋 TL;DR

Vaultwarden v1.32.5 contains an authenticated reflected cross-site scripting (XSS) vulnerability in the /api/core/mod.rs component. This allows authenticated attackers to inject malicious scripts that execute in victims' browsers when they visit crafted URLs. Only users running Vaultwarden v1.32.5 are affected.

💻 Affected Systems

Products:

Vaultwarden

Versions: v1.32.5 only

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations using the vulnerable version; requires attacker authentication.

📦 What is this software?

Vaultwarden by Dani Garcia

View all CVEs affecting Vaultwarden →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker could steal session cookies, perform actions as the victim, or redirect to malicious sites, potentially compromising the entire Vaultwarden instance and sensitive password data.

🟠

Likely Case

Attackers with valid credentials could perform limited session hijacking or credential theft against other users who click malicious links.

🟢

If Mitigated

With proper input validation and output encoding, the impact is minimal as scripts would be properly sanitized before execution.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access and victim interaction with crafted URLs.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.32.6 or later

Vendor Advisory: https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.6

Restart Required: Yes

Instructions:

1. Stop Vaultwarden service. 2. Update to v1.32.6 or later using your deployment method (Docker, manual install, etc.). 3. Restart Vaultwarden service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement web application firewall (WAF) rules to filter malicious script patterns in API requests.

# WAF rule example: Block requests containing <script> tags in parameters
# Implementation depends on your WAF (e.g., ModSecurity, Cloudflare, AWS WAF)

🧯 If You Can't Patch

Restrict access to Vaultwarden to trusted networks only and implement strict authentication controls.
Monitor logs for unusual API requests to /api/core/mod.rs and educate users about phishing risks.

🔍 How to Verify

Check if Vulnerable:

Check your Vaultwarden version; if it's exactly v1.32.5, you are vulnerable.

Check Version:

docker exec vaultwarden vaultwarden --version  # For Docker; or check your deployment method

Verify Fix Applied:

After updating, confirm the version is v1.32.6 or later and test that script injection in API parameters is properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual POST/GET requests to /api/core/mod.rs with script-like parameters
Multiple failed authentication attempts followed by successful login and API access

Network Indicators:

HTTP requests containing <script> tags or JavaScript in URL parameters to the Vaultwarden API

SIEM Query:

source="vaultwarden" AND (url="/api/core/mod.rs" AND (param="<script>" OR param="javascript:"))

📊 Metadata

CVE ID: CVE-2024-55226

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.14% exploit probability (34.7th percentile)

Published: January 9, 2025

Last Updated: June 24, 2025

🔗 References

https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.4 Release Notes
https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.5 Release Notes
https://insinuator.net/2024/11/vulnerability-disclosure-authentication-bypass-in-vaultwarden-versions-1-32-5/ Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-55226, you might also want to check these: