CVE-2026-27802 – This vulnerability allows managers in Vaultward... (How to Fix)

Q: What is the severity of CVE-2026-27802?

CVE-2026-27802 has a CVSS score of 8.3 (HIGH). This vulnerability allows managers in Vaultwarden to escalate their privileges by modifying permissions for collections they shouldn't have access to. It affects all Vaultwarden instances running versions before 1.35.4. Managers could potentially gain unauthorized access to sensitive password collections.

📋 TL;DR

This vulnerability allows managers in Vaultwarden to escalate their privileges by modifying permissions for collections they shouldn't have access to. It affects all Vaultwarden instances running versions before 1.35.4. Managers could potentially gain unauthorized access to sensitive password collections.

💻 Affected Systems

Products:

Vaultwarden

Versions: All versions prior to 1.35.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects instances where manager roles are used. Regular user accounts are not affected.

📦 What is this software?

Vaultwarden by Dani Garcia

View all CVEs affecting Vaultwarden →

⚠️ Risk & Real-World Impact

🔴

Worst Case

A malicious manager could gain access to all password collections, including those belonging to administrators or other protected users, potentially compromising all stored credentials.

🟠

Likely Case

A manager with limited permissions could expand their access to additional collections beyond their intended scope, violating organizational access controls.

🟢

If Mitigated

With proper monitoring and least privilege principles, the impact would be limited to unauthorized access to some collections rather than complete system compromise.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires manager-level access. The vulnerability is in the bulk permission update functionality.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.35.4

Vendor Advisory: https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-r32r-j5jq-3w4m

Restart Required: Yes

Instructions:

1. Stop the Vaultwarden service. 2. Update to version 1.35.4 or later using your preferred method (Docker, package manager, or manual installation). 3. Restart the Vaultwarden service. 4. Verify the version is 1.35.4 or higher.

🔧 Temporary Workarounds

Restrict Manager Access

all

Temporarily remove manager permissions from users who don't absolutely need them until patching can be completed.

🧯 If You Can't Patch

Implement strict monitoring of permission changes and manager activities
Apply principle of least privilege - minimize the number of manager accounts

🔍 How to Verify

Check if Vulnerable:

Check your Vaultwarden version. If it's below 1.35.4, you are vulnerable.

Check Version:

docker exec vaultwarden ./vaultwarden --version or check the web interface admin panel

Verify Fix Applied:

Confirm the version is 1.35.4 or higher and test that managers cannot modify permissions for unauthorized collections.

📡 Detection & Monitoring

Log Indicators:

Unusual bulk permission updates
Manager accounts accessing collections they shouldn't have permissions for

Network Indicators:

Multiple permission update API calls from manager accounts

SIEM Query:

source="vaultwarden" AND (event="permission_update" OR event="collection_access") AND user_role="manager"

📊 Metadata

CVE ID: CVE-2026-27802

CVSS v3 Score: 8.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

CWE: CWE-269

Published: March 4, 2026

Last Updated: March 6, 2026

🔗 References

https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-r32r-j5jq-3w4m Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27802, you might also want to check these: