Unrated severityNVD Advisory· Published Feb 11, 2026· Updated Feb 12, 2026

vaultwarden has Full Cipher Enumeration Ignoring Organization Collection Permissions

CVE-2026-26012

Description

vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to 1.35.3, a regular organization member can retrieve all ciphers within an organization, regardless of collection permissions. The endpoint /ciphers/organization-details is accessible to any organization member and internally uses Cipher::find_by_org to retrieve all ciphers. These ciphers are returned with CipherSyncType::Organization without enforcing collection-level access control. This vulnerability is fixed in 1.35.3.

Affected products

Dani Garcia/Vaultwardenv5
Range: < 1.35.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/dani-garcia/vaultwarden/releases/tag/1.35.3mitrex_refsource_MISC
github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h265-g7rm-h337mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000