VYPR

Vaultwarden

by Dani Garcia

cargo: vaultwarden

Source repositories

CVEs (17)

  • CVE-2026-43912HigMay 11, 2026
    risk 0.50cvss 8.7epss 0.00

    Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden does not enforce that a groups_users.users_organizations_uuid entry belongs to the same organization as groups.groups_uuid, or a collections_groups.collections_uuid entry belongs to the…

  • CVE-2026-43913HigMay 11, 2026
    risk 0.46cvss 8.1epss 0.00

    Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden allows an unconfirmed organization owner to purge the entire organization vault. The organization invite flow uses a two-step process: accepting an invite transitions membership from…

  • CVE-2026-43914HigMay 11, 2026
    risk 0.40cvss 7.3epss 0.00

    Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login brute-force protection if email 2fa is enabled. If email 2fa is enabled, the unprotected 2fa-function send_email_login…

  • CVE-2026-43911MedMay 11, 2026
    risk 0.37cvss 6.8epss 0.00

    Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, refresh tokens are not invalidated when the user's security_stamp is rotated by some security-sensitive operations (password change, KDF change, key rotation, email change, org admin password reset,…

  • CVE-2026-31835MedMay 5, 2026
    risk 0.28cvss 5.4epss 0.00

    Vaultwarden is a Bitwarden-compatible server written in Rust. In versions 1.35.4 and earlier, the WebAuthn authentication flow in `validate_webauthn_login()` updates persistent credential metadata (1backup_eligible1 and 1backup_state flags1) based on unverified…

  • CVE-2026-33420MedMay 5, 2026
    risk 0.27cvss 5.3epss 0.00

    Vaultwarden is a Bitwarden-compatible server written in Rust. In version 1.35.4 and earlier, the get_org_collections_details endpoint (GET /api/organizations/{org_id}/collections/details) is missing the has_full_access() authorization check that exists on the sibling…

  • CVE-2026-27898Mar 4, 2026
    risk 0.00cvss epss 0.00

    Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, an authenticated regular user can specify another user’s cipher_id and call "PUT /api/ciphers/{id}/partial" Even though the standard retrieval API…

  • CVE-2026-27803Mar 4, 2026
    risk 0.00cvss epss 0.00

    Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, when a Manager has manage=false for a given collection, they can still perform several management operations as long as they have access to the…

  • CVE-2026-27802Mar 4, 2026
    risk 0.00cvss epss 0.00

    Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, there is a privilege escalation vulnerability via bulk permission update to unauthorized collections by Manager. This issue has been patched in…

  • CVE-2026-27801Mar 4, 2026
    risk 0.00cvss epss 0.00

    Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Vaultwarden versions 1.34.3 and prior are susceptible to a 2FA bypass when performing protected actions. An attacker who gains authenticated access to a user’s account can…

  • CVE-2026-26012Feb 11, 2026
    risk 0.00cvss epss 0.00

    vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to 1.35.3, a regular organization member can retrieve all ciphers within an organization, regardless of collection permissions. The endpoint…

  • CVE-2025-24365Jan 27, 2025
    risk 0.00cvss epss 0.01

    vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Attacker can obtain owner rights of other organization. Hacker should know the ID of victim organization (in real case the user can be a part of the organization as an…

  • CVE-2025-24364Jan 27, 2025
    risk 0.00cvss epss 0.01

    vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Attacker with authenticated access to the vaultwarden admin panel can execute arbitrary code in the system. The attacker could then change some settings to use sendmail as…

  • CVE-2024-56335Dec 20, 2024
    risk 0.00cvss epss 0.00

    vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. In affected versions an attacker is capable of updating or deleting groups from an organization given a few conditions: 1. The attacker has a user account in the server. 2.…

  • CVE-2024-39925Sep 13, 2024
    risk 0.00cvss epss 0.01

    An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. It lacks an offboarding process for members who leave an organization. As a result, the shared organization key is not rotated when a member departs. Consequently, the departing member, whose access should be…

  • CVE-2024-39924Sep 13, 2024
    risk 0.00cvss epss 0.13

    An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. A vulnerability has been identified in the authentication and authorization process of the endpoint responsible for altering the metadata of an emergency access. It permits an attacker with granted emergency…

  • CVE-2024-39926Sep 13, 2024
    risk 0.00cvss epss 0.00

    An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. A stored cross-site scripting (XSS) or, due to the default CSP, HTML injection vulnerability has been discovered in the admin dashboard. This potentially allows an authenticated attacker to inject malicious…