CVE-2026-27898
📋 TL;DR
This vulnerability allows authenticated regular users in Vaultwarden to access other users' encrypted password vault entries by exploiting an authorization bypass in the partial update API endpoint. Attackers can read sensitive data including passwords, secure notes, and other stored credentials. Only Vaultwarden instances running vulnerable versions are affected.
💻 Affected Systems
- Vaultwarden (formerly bitwarden_rs)
📦 What is this software?
Vaultwarden by Dani Garcia
⚠️ Risk & Real-World Impact
Worst Case
Malicious authenticated users could systematically exfiltrate all password vault data from all users, leading to complete credential compromise and potential account takeovers across multiple services.
Likely Case
An attacker with regular user access could access specific targeted users' password vault entries, potentially compromising sensitive personal or organizational credentials.
If Mitigated
With proper access controls and monitoring, unauthorized access attempts would be detected and blocked, limiting exposure to targeted attacks.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward via API manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.35.4
Vendor Advisory: https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-w9f8-m526-h7fh
Restart Required: Yes
Instructions:
1. Stop Vaultwarden service. 2. Update to version 1.35.4 or later. 3. Restart Vaultwarden service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable partial update endpoint
allTemporarily disable the vulnerable API endpoint until patching is possible
Modify Vaultwarden configuration to block PUT requests to /api/ciphers/*/partial
🧯 If You Can't Patch
- Implement strict network segmentation to limit access to Vaultwarden API endpoints
- Enhance monitoring and alerting for unusual API access patterns to /api/ciphers/*/partial
🔍 How to Verify
Check if Vulnerable:
Check Vaultwarden version via web interface or container image tag. Versions below 1.35.4 are vulnerable.Check Version:
docker inspect vaultwarden/server | grep -i versionVerify Fix Applied:
Confirm version is 1.35.4 or higher and test that authenticated users cannot access other users' cipher data via the partial update endpoint.📡 Detection & Monitoring
Log Indicators:
- Multiple 200 OK responses to PUT /api/ciphers/{id}/partial with different cipher IDs from same user
- Unusual access patterns to cipher endpoints
Network Indicators:
- Unusual volume of PUT requests to /api/ciphers/*/partial endpoints
- API calls accessing cipher IDs not belonging to the authenticated user
SIEM Query:
source="vaultwarden" AND method="PUT" AND uri="/api/ciphers/*/partial" AND status=200 | stats count by user_id, cipher_id