crates.io package
vaultwarden
pkg:cargo/vaultwarden
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-27898 | — | < 1.35.4 | 1.35.4 | Mar 4, 2026 | Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, an authenticated regular user can specify another user’s cipher_id and call "PUT /api/ciphers/{id}/partial" Even though the standard retrieval API co | ||
| CVE-2026-27803 | — | < 1.35.4 | 1.35.4 | Mar 4, 2026 | Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, when a Manager has manage=false for a given collection, they can still perform several management operations as long as they have access to the colle | ||
| CVE-2026-27802 | — | < 1.35.4 | 1.35.4 | Mar 4, 2026 | Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, there is a privilege escalation vulnerability via bulk permission update to unauthorized collections by Manager. This issue has been patched in versi | ||
| CVE-2026-27801 | — | < 1.35.0 | 1.35.0 | Mar 4, 2026 | Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Vaultwarden versions 1.34.3 and prior are susceptible to a 2FA bypass when performing protected actions. An attacker who gains authenticated access to a user’s account can ex | ||
| CVE-2024-55226 | — | < 1.32.5 | 1.32.5 | Jan 9, 2025 | Vaultwarden v1.32.5 was discovered to contain an authenticated reflected cross-site scripting (XSS) vulnerability via the component /api/core/mod.rs. | ||
| CVE-2024-55225 | — | < 1.32.5 | 1.32.5 | Jan 9, 2025 | An issue in the component src/api/identity.rs of Vaultwarden prior to v1.32.5 allows attackers to impersonate users, including Administrators, via a crafted authorization request. | ||
| CVE-2024-55224 | — | < 1.32.5 | 1.32.5 | Jan 9, 2025 | An HTML injection vulnerability in Vaultwarden prior to v1.32.5 allows attackers to execute arbitrary code via injecting a crafted payload into the username field of an e-mail message. |
- CVE-2026-27898Mar 4, 2026affected < 1.35.4fixed 1.35.4
Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, an authenticated regular user can specify another user’s cipher_id and call "PUT /api/ciphers/{id}/partial" Even though the standard retrieval API co
- CVE-2026-27803Mar 4, 2026affected < 1.35.4fixed 1.35.4
Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, when a Manager has manage=false for a given collection, they can still perform several management operations as long as they have access to the colle
- CVE-2026-27802Mar 4, 2026affected < 1.35.4fixed 1.35.4
Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, there is a privilege escalation vulnerability via bulk permission update to unauthorized collections by Manager. This issue has been patched in versi
- CVE-2026-27801Mar 4, 2026affected < 1.35.0fixed 1.35.0
Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Vaultwarden versions 1.34.3 and prior are susceptible to a 2FA bypass when performing protected actions. An attacker who gains authenticated access to a user’s account can ex
- CVE-2024-55226Jan 9, 2025affected < 1.32.5fixed 1.32.5
Vaultwarden v1.32.5 was discovered to contain an authenticated reflected cross-site scripting (XSS) vulnerability via the component /api/core/mod.rs.
- CVE-2024-55225Jan 9, 2025affected < 1.32.5fixed 1.32.5
An issue in the component src/api/identity.rs of Vaultwarden prior to v1.32.5 allows attackers to impersonate users, including Administrators, via a crafted authorization request.
- CVE-2024-55224Jan 9, 2025affected < 1.32.5fixed 1.32.5
An HTML injection vulnerability in Vaultwarden prior to v1.32.5 allows attackers to execute arbitrary code via injecting a crafted payload into the username field of an e-mail message.