CVE-2026-26012
📋 TL;DR
In vaultwarden versions before 1.35.3, any organization member can access all ciphers (password entries) within their organization, bypassing collection-based permission controls. This affects all vaultwarden deployments with organization features enabled. The vulnerability allows unauthorized data access within shared password management environments.
💻 Affected Systems
- vaultwarden (formerly bitwarden_rs)
📦 What is this software?
Vaultwarden by Dani Garcia
⚠️ Risk & Real-World Impact
Worst Case
Organization members exfiltrate all sensitive passwords, API keys, and credentials stored in the organization's vault, leading to complete compromise of organizational secrets.
Likely Case
Accidental or intentional exposure of sensitive credentials within the organization, potentially enabling lateral movement or privilege escalation in other systems.
If Mitigated
Limited exposure if organizations have strict internal trust models and minimal sensitive data in shared collections.
🎯 Exploit Status
Exploitation requires valid organization member credentials. The vulnerability is simple to exploit via direct API calls to the affected endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.35.3
Vendor Advisory: https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h265-g7rm-h337
Restart Required: Yes
Instructions:
1. Backup your vaultwarden data and configuration. 2. Stop the vaultwarden service. 3. Update to version 1.35.3 or later using your preferred method (Docker, package manager, or manual build). 4. Restart the vaultwarden service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Disable Organization Features
allTemporarily disable organization functionality to prevent exploitation while planning upgrade.
Set ORGANIZATIONS_ALLOWED=false in vaultwarden configuration
🧯 If You Can't Patch
- Implement strict access controls and audit all organization members. Remove unnecessary members.
- Monitor API logs for unusual access patterns to /ciphers/organization-details endpoint.
🔍 How to Verify
Check if Vulnerable:
Check if vaultwarden version is below 1.35.3 and organization features are enabled.Check Version:
Check vaultwarden logs for version information or run: docker inspect vaultwarden/server | grep VERSIONVerify Fix Applied:
After updating to 1.35.3+, verify that organization members can only access ciphers in their assigned collections.📡 Detection & Monitoring
Log Indicators:
- Multiple successful requests to /ciphers/organization-details from organization members
- Unusual volume of cipher access from single user
Network Indicators:
- API calls to /ciphers/organization-details endpoint with organization member tokens
SIEM Query:
source="vaultwarden" AND path="/ciphers/organization-details" AND status=200 | stats count by user