Vaultwarden
Monthly
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, refresh tokens are not invalidated when the user's security_stamp is rotated by some security-sensitive operations (password change, KDF change, key rotation, email change, org admin password reset, emergency access takeover). This allows an attacker holding a previously obtained refresh token to maintain session access even after the user has taken action to secure their account. This vulnerability is fixed in 1.35.5.
Vaultwarden versions 1.35.4 and earlier expose organization collection metadata to Manager-role users lacking full access permissions due to a missing authorization check on the get_org_collections_details endpoint. An authenticated Manager with accessAll=False and no collection assignments can retrieve collection names, UUIDs, and user-to-collection and group-to-collection mappings for all organization collections, representing a confidentiality breach of sensitive organizational structure data. The vulnerability is limited to authenticated users with specific role attributes and has been patched in version 1.35.5.
Vaultwarden versions 1.35.4 and earlier allow authenticated attackers to permanently disable WebAuthn two-factor authentication for user credentials by exploiting a logic flaw in the `validate_webauthn_login()` function that updates backup eligibility flags before validating the WebAuthn signature. An attacker with knowledge of a user's password can modify these persistent flags even when providing an invalid WebAuthn signature, causing signature verification to fail without rolling back the database changes, resulting in denial of service of the 2FA mechanism for affected credentials. The vulnerability has been patched in version 1.35.5.
Vaultwarden versions up to 1.35.4 is affected by authorization bypass through user-controlled key (CVSS 5.4).
Vaultwarden versions prior to 1.35.4 fail to properly enforce collection management permissions, allowing authenticated users with Manager roles to perform restricted management operations on collections where they lack authorization. An attacker with valid credentials can exploit this privilege escalation to modify or control collections they should not have access to. No patch is currently available for affected deployments.
Vaultwarden versions before 1.35.4 contain a privilege escalation vulnerability that allows authenticated Manager-level users to modify permissions on collections they should not have access to. An attacker with Manager role can exploit this during bulk permission updates to gain unauthorized access to sensitive collections. A patch is available in version 1.35.4 and should be applied immediately.
Two-factor authentication bypass in Vaultwarden 1.34.3 and earlier allows authenticated attackers to circumvent 2FA protections on sensitive operations, enabling unauthorized access to API keys and destructive actions against vaults and organizations. Public exploit code exists for this vulnerability, which affects the unofficial Bitwarden-compatible server and currently lacks an available patch. Attackers with legitimate account credentials can escalate privileges to perform administrative actions typically restricted by 2FA controls.
Vaultwarden versions prior to 1.35.3 allow authenticated organization members to bypass collection-level access controls and retrieve all ciphers within their organization through the /ciphers/organization-details endpoint. An attacker with regular member privileges can access sensitive credentials and encrypted data they should not have permission to view. No patch is currently available for affected deployments.
vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Vaultwarden v1.32.5 was discovered to contain an authenticated reflected cross-site scripting (XSS) vulnerability via the component /api/core/mod.rs. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An issue in the component src/api/identity.rs of Vaultwarden prior to v1.32.5 allows attackers to impersonate users, including Administrators, via a crafted authorization request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An HTML injection vulnerability in Vaultwarden prior to v1.32.5 allows attackers to execute arbitrary code via injecting a crafted payload into the username field of an e-mail message. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, refresh tokens are not invalidated when the user's security_stamp is rotated by some security-sensitive operations (password change, KDF change, key rotation, email change, org admin password reset, emergency access takeover). This allows an attacker holding a previously obtained refresh token to maintain session access even after the user has taken action to secure their account. This vulnerability is fixed in 1.35.5.
Vaultwarden versions 1.35.4 and earlier expose organization collection metadata to Manager-role users lacking full access permissions due to a missing authorization check on the get_org_collections_details endpoint. An authenticated Manager with accessAll=False and no collection assignments can retrieve collection names, UUIDs, and user-to-collection and group-to-collection mappings for all organization collections, representing a confidentiality breach of sensitive organizational structure data. The vulnerability is limited to authenticated users with specific role attributes and has been patched in version 1.35.5.
Vaultwarden versions 1.35.4 and earlier allow authenticated attackers to permanently disable WebAuthn two-factor authentication for user credentials by exploiting a logic flaw in the `validate_webauthn_login()` function that updates backup eligibility flags before validating the WebAuthn signature. An attacker with knowledge of a user's password can modify these persistent flags even when providing an invalid WebAuthn signature, causing signature verification to fail without rolling back the database changes, resulting in denial of service of the 2FA mechanism for affected credentials. The vulnerability has been patched in version 1.35.5.
Vaultwarden versions up to 1.35.4 is affected by authorization bypass through user-controlled key (CVSS 5.4).
Vaultwarden versions prior to 1.35.4 fail to properly enforce collection management permissions, allowing authenticated users with Manager roles to perform restricted management operations on collections where they lack authorization. An attacker with valid credentials can exploit this privilege escalation to modify or control collections they should not have access to. No patch is currently available for affected deployments.
Vaultwarden versions before 1.35.4 contain a privilege escalation vulnerability that allows authenticated Manager-level users to modify permissions on collections they should not have access to. An attacker with Manager role can exploit this during bulk permission updates to gain unauthorized access to sensitive collections. A patch is available in version 1.35.4 and should be applied immediately.
Two-factor authentication bypass in Vaultwarden 1.34.3 and earlier allows authenticated attackers to circumvent 2FA protections on sensitive operations, enabling unauthorized access to API keys and destructive actions against vaults and organizations. Public exploit code exists for this vulnerability, which affects the unofficial Bitwarden-compatible server and currently lacks an available patch. Attackers with legitimate account credentials can escalate privileges to perform administrative actions typically restricted by 2FA controls.
Vaultwarden versions prior to 1.35.3 allow authenticated organization members to bypass collection-level access controls and retrieve all ciphers within their organization through the /ciphers/organization-details endpoint. An attacker with regular member privileges can access sensitive credentials and encrypted data they should not have permission to view. No patch is currently available for affected deployments.
vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Vaultwarden v1.32.5 was discovered to contain an authenticated reflected cross-site scripting (XSS) vulnerability via the component /api/core/mod.rs. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An issue in the component src/api/identity.rs of Vaultwarden prior to v1.32.5 allows attackers to impersonate users, including Administrators, via a crafted authorization request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An HTML injection vulnerability in Vaultwarden prior to v1.32.5 allows attackers to execute arbitrary code via injecting a crafted payload into the username field of an e-mail message. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.