CVE-2025-24365 – This vulnerability in vaultwarden allows an att... (How to Fix)

Q: What is the severity of CVE-2025-24365?

CVE-2025-24365 has a CVSS score of 8.1 (HIGH). This vulnerability in vaultwarden allows an attacker who is an owner/admin of one organization to gain owner rights over another organization by knowing the victim organization's ID. This affects vaultwarden instances with multiple organizations where users can create their own organizations. The vulnerability requires the attacker to have some existing organizational privileges.

📋 TL;DR

This vulnerability in vaultwarden allows an attacker who is an owner/admin of one organization to gain owner rights over another organization by knowing the victim organization's ID. This affects vaultwarden instances with multiple organizations where users can create their own organizations. The vulnerability requires the attacker to have some existing organizational privileges.

💻 Affected Systems

Products:

vaultwarden

Versions: All versions before 1.33.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects instances with multiple organizations where users can create organizations (default configuration).

📦 What is this software?

Vaultwarden by Dani Garcia

View all CVEs affecting Vaultwarden →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker gains full administrative control over another organization, potentially accessing all passwords, secure notes, and sensitive data belonging to that organization's members.

🟠

Likely Case

An attacker with malicious intent who is part of multiple organizations escalates privileges to steal credentials or sensitive data from a target organization.

🟢

If Mitigated

With proper access controls and monitoring, unauthorized privilege escalation attempts are detected and prevented before data exfiltration occurs.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access as organization owner/admin and knowledge of target organization ID.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.33.0

Vendor Advisory: https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-j4h8-vch3-f797

Restart Required: No

Instructions:

1. Backup your vaultwarden data. 2. Update to version 1.33.0 or later using your deployment method (Docker, manual install, etc.). 3. Verify the update completed successfully.

🔧 Temporary Workarounds

Restrict Organization Creation

all

Temporarily disable new organization creation to limit attack surface

Set SIGNUPS_ALLOWED=false and INVITATIONS_ALLOWED=false in environment/config

🧯 If You Can't Patch

Implement strict access monitoring for organization ownership changes
Regularly audit organization memberships and owner privileges

🔍 How to Verify

Check if Vulnerable:

Check if vaultwarden version is below 1.33.0

Check Version:

docker exec vaultwarden /vaultwarden --version or check web admin panel

Verify Fix Applied:

Confirm version is 1.33.0 or higher and test organization privilege boundaries

📡 Detection & Monitoring

Log Indicators:

Unexpected organization ownership changes
Multiple organization access attempts from single user

Network Indicators:

Unusual API calls to organization management endpoints

SIEM Query:

vaultwarden AND (organization_owner_changed OR organization_admin_granted)

📊 Metadata

CVE ID: CVE-2025-24365

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-284

EPSS Score: 0.14% exploit probability (33.4th percentile)

Published: January 27, 2025

Last Updated: August 20, 2025

🔗 References

https://github.com/dani-garcia/vaultwarden/releases/tag/1.33.0 Release Notes
https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-j4h8-vch3-f797 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-24365, you might also want to check these: