High severityNVD Advisory· Published Mar 4, 2026· Updated Mar 5, 2026

Vaultwarden: Privilege Escalation via Bulk Permission Update to Unauthorized Collections by Manager

CVE-2026-27802

Description

Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, there is a privilege escalation vulnerability via bulk permission update to unauthorized collections by Manager. This issue has been patched in version 1.35.4.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
vaultwardencrates.io	< 1.35.4	1.35.4

Affected products

Dani Garcia/Vaultwardenv5
Range: < 1.35.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-r32r-j5jq-3w4mghsaADVISORY
github.com/dani-garcia/vaultwarden/security/advisories/GHSA-r32r-j5jq-3w4mghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000