High severityNVD Advisory· Published Mar 4, 2026· Updated Mar 5, 2026
Vaultwarden: Collection Management Operations Allowed Without `manage` Verification for Manager Role
CVE-2026-27803
Description
Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, when a Manager has manage=false for a given collection, they can still perform several management operations as long as they have access to the collection. This issue has been patched in version 1.35.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
vaultwardencrates.io | < 1.35.4 | 1.35.4 |
Affected products
2- Range: < 1.35.4
Patches
Vulnerability mechanics
References
2- github.com/advisories/GHSA-h4hq-rgvh-wh27ghsaADVISORY
- github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h4hq-rgvh-wh27ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.