Bug 2476356 (CVE-2026-43912) - CVE-2026-43912 vaultwarden: Vaultwarden: Unauthorized vault data access via improper organization consistency enforcement
Summary: CVE-2026-43912 vaultwarden: Vaultwarden: Unauthorized vault data access via i...
Keywords:
Status: NEW
Alias: CVE-2026-43912
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2476447 2476448
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-11 23:03 UTC by OSIDB Bzimport
Modified: 2026-05-12 12:36 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-11 23:03:08 UTC
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden does not enforce that a groups_users.users_organizations_uuid entry belongs to the same organization as groups.groups_uuid, or a collections_groups.collections_uuid entry belongs to the same organization as collections_groups.groups_uuid. Multiple organization group-management endpoints accept arbitrary MembershipId and CollectionId values and persist them directly without verifying org consistency. This lets an attacker who is Admin in Organization A, and only a low-privileged member in Organization B bind their Org B membership UUID into an Org A group, then use that foreign group relationship to gain unauthorized access to Org B vault data. With an accessAll=true Org A group, the attacker can make /api/sync and /api/ciphers enumerate Org B ciphers. Once those unauthorized sync results reveal Org B collection IDs, the attacker can also bind those foreign collection IDs to the Org A group and turn the same flaw into write access over Org B items. This vulnerability is fixed in 1.35.5.


Note You need to log in before you can comment on or make changes to this bug.