Scan free
HIGHCVE-2026-27802CVSS 8.3

CVE-2026-27802: Privilege Escalation in Vaultwarden

Platform

rust

Component

vaultwarden

Fixed in

1.35.5

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2026-27802 describes a privilege escalation vulnerability discovered in Vaultwarden, an unofficial Bitwarden-compatible server. This flaw allows an attacker, specifically a Manager user, to perform bulk permission updates on collections without proper authorization, leading to potential unauthorized access and data manipulation. The vulnerability impacts Vaultwarden versions prior to 1.35.4, and a patch has been released in version 1.35.4.

Rust

Detect this CVE in your project

Upload your Cargo.lock file and we'll tell you instantly if you're affected.

Upload Cargo.lock

Impact and Attack Scenarios

The primary impact of CVE-2026-27802 is the potential for unauthorized access and modification of sensitive data stored within Vaultwarden. A malicious Manager user could leverage this vulnerability to escalate their privileges and gain control over collections, effectively bypassing access controls. This could lead to data breaches, data corruption, or even complete compromise of the Vaultwarden instance. The blast radius extends to all users whose data is stored within the affected collections, as an attacker could potentially read, modify, or delete their information. While the vulnerability requires a Manager user account, the ease of privilege escalation could allow an attacker to compromise the entire system if they can obtain such an account.

Exploitation Context

CVE-2026-27802 was publicly disclosed on 2026-03-04. No known public proof-of-concept (PoC) exploits are currently available, but the vulnerability's nature suggests it could be relatively easy to exploit once a PoC is developed. The EPSS score is likely to be medium, reflecting the potential impact and the requirement for a Manager account. It is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports3 threat reports

EPSS

0.04% (14% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L8.3HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityLowRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Componentvaultwarden
Vendordani-garcia
Affected rangeFixed in
< 1.35.4 – < 1.35.41.35.5

Weakness Classification (CWE)

CWE-269CWE-863

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-27802 is to immediately upgrade Vaultwarden to version 1.35.4 or later. If an upgrade is not immediately feasible due to compatibility concerns or system downtime constraints, consider implementing stricter access controls for Manager users. This could involve multi-factor authentication (MFA) for Manager accounts and regular audits of user permissions. While a WAF or proxy cannot directly prevent this vulnerability, it can help detect and block suspicious activity related to permission updates. After upgrading, verify the fix by attempting to perform a bulk permission update as a Manager user; the operation should be denied.

How to fix

Update Vaultwarden to version 1.35.4 or higher. This version contains the fix for the privilege escalation vulnerability.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-27802 — Privilege Escalation in Vaultwarden?

CVE-2026-27802 is a HIGH severity vulnerability in Vaultwarden versions ≤ 1.35.4 that allows a Manager user to escalate privileges and potentially gain unauthorized access to collections.

Am I affected by CVE-2026-27802 in Vaultwarden?

If you are running Vaultwarden version 1.35.4 or earlier, you are affected by this vulnerability. Upgrade to version 1.35.4 to mitigate the risk.

How do I fix CVE-2026-27802 in Vaultwarden?

The recommended fix is to upgrade Vaultwarden to version 1.35.4 or later. If an upgrade is not immediately possible, implement stricter access controls for Manager users.

Is CVE-2026-27802 being actively exploited?

There are currently no confirmed reports of active exploitation, but the vulnerability's nature suggests it could be exploited once a proof-of-concept is developed.

Where can I find the official Vaultwarden advisory for CVE-2026-27802?

Refer to the Vaultwarden GitHub repository for the latest security advisories and updates: [https://github.com/vaultwarden/vaultwarden](https://github.com/vaultwarden/vaultwarden)

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs