CVE-2024-56335
📋 TL;DR
This vulnerability allows authenticated attackers with admin/owner permissions in one organization to modify or delete groups in other organizations if they know the target organization and group UUIDs. It affects Vaultwarden servers with ORG_GROUPS_ENABLED setting enabled, which is disabled by default. Attackers can cause denial of service by removing user group memberships or escalate privileges within victim organizations.
💻 Affected Systems
- vaultwarden (formerly bitwarden_rs)
📦 What is this software?
Vaultwarden by Dani Garcia
⚠️ Risk & Real-World Impact
Worst Case
Attacker with internal access can disrupt organizational access by deleting groups and potentially escalate privileges to access encrypted data they shouldn't have access to within compromised organizations.
Likely Case
Internal attacker with admin rights in one organization abuses permissions to disrupt operations in another organization by modifying group memberships, causing access issues for legitimate users.
If Mitigated
With ORG_GROUPS_ENABLED disabled (default) or proper access controls, the vulnerability cannot be exploited and organizational data remains protected.
🎯 Exploit Status
Exploitation requires authenticated user with specific permissions and knowledge of target UUIDs. No public exploit code identified in advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.32.7
Vendor Advisory: https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-g65h-982x-4m5m
Restart Required: Yes
Instructions:
1. Backup your vaultwarden data and configuration. 2. Stop the vaultwarden service. 3. Update to version 1.32.7 or later using your deployment method (Docker, package manager, or source). 4. Restart the vaultwarden service. 5. Verify the version is 1.32.7 or higher.
🔧 Temporary Workarounds
Disable organization groups
allDisables the vulnerable group functionality entirely by setting ORG_GROUPS_ENABLED to false
Set ORG_GROUPS_ENABLED=false in your vaultwarden environment configuration
Disable new user signups
allPrevents attackers from creating new accounts by disabling SIGNUPS_ALLOWED
Set SIGNUPS_ALLOWED=false in your vaultwarden environment configuration
🧯 If You Can't Patch
- Disable ORG_GROUPS_ENABLED setting immediately to remove vulnerable functionality
- Implement strict access controls and monitor for unauthorized group modifications in logs
🔍 How to Verify
Check if Vulnerable:
Check if vaultwarden version is below 1.32.7 AND ORG_GROUPS_ENABLED is set to true in configurationCheck Version:
docker exec vaultwarden /vaultwarden --version or check web admin interface versionVerify Fix Applied:
Confirm vaultwarden version is 1.32.7 or higher using version check command and verify ORG_GROUPS_ENABLED setting if still enabled📡 Detection & Monitoring
Log Indicators:
- Unauthorized group modification attempts
- Group deletion events from users not in target organization
- Failed permission checks for group operations
Network Indicators:
- API calls to group endpoints from unauthorized sources
- Unusual pattern of group modification requests
SIEM Query:
vaultwarden AND ("group" AND ("update" OR "delete")) AND NOT organization_id:[authorized_org_ids]