CVE-2026-26012
published 2026-02-11CVE-2026-26012: vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to 1.35.3, a regular organization member can…
PriorityP338medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.33%
24.9th percentile
vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to 1.35.3, a regular organization member can retrieve all ciphers within an organization, regardless of collection permissions. The endpoint /ciphers/organization-details is accessible to any organization member and internally uses Cipher::find_by_org to retrieve all ciphers. These ciphers are returned with CipherSyncType::Organization without enforcing collection-level access control. This vulnerability is fixed in 1.35.3.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dani-garcia | vaultwarden | < 1.35.3 | 1.35.3 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-26012 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-26012 [MEDIUM] CVE-2026-26012 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26012 :
NixOS vulnerability analysis and mitigation
vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to 1.35.3, a regular organization member can retrieve all ciphers within an organization, regardless of collection permissions. The endpoint /ciphers/organization-details is accessible to any organization member and internally uses Cipher::find_by_org to retrieve all ciphers. These ciphers are returned with CipherSyncType::Organization without enforcing collection-level access control. This vulnerability is fixed in 1.35.3.
Source : NVD
## 6.5
Score
Published February 11, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
NixOS
Linux Alpine
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV
Bugzilla
CVE-2026-26012 vaultwarden: Vaultwarden: Information disclosure due to bypassed collection permissions [epel-9]
bugzilla·2026-02-12·CVSS 6.5
CVE-2026-26012 [MEDIUM] CVE-2026-26012 vaultwarden: Vaultwarden: Information disclosure due to bypassed collection permissions [epel-9]
CVE-2026-26012 vaultwarden: Vaultwarden: Information disclosure due to bypassed collection permissions [epel-9]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-EPEL-2026-759c8b25a3 (vaultwarden-1.36.0-1.el9) has been submitted as an update to Fedora EPEL 9.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-759c8b25a3
---
FEDORA-EPEL-2026-759c8b25a3 has been pushed to the Fedora EPEL 9 testing repository.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-759c8b25a3
See also https://fedoraproject.org/wiki/QA:Updates_Testing for more
Bugzilla
CVE-2026-26012 vaultwarden: Vaultwarden: Information disclosure due to bypassed collection permissions [fedora-42]
bugzilla·2026-02-12·CVSS 6.5
CVE-2026-26012 [MEDIUM] CVE-2026-26012 vaultwarden: Vaultwarden: Information disclosure due to bypassed collection permissions [fedora-42]
CVE-2026-26012 vaultwarden: Vaultwarden: Information disclosure due to bypassed collection permissions [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently ma
Bugzilla
CVE-2026-26012 vaultwarden: Vaultwarden: Information disclosure due to bypassed collection permissions [epel-10]
bugzilla·2026-02-12·CVSS 6.5
CVE-2026-26012 [MEDIUM] CVE-2026-26012 vaultwarden: Vaultwarden: Information disclosure due to bypassed collection permissions [epel-10]
CVE-2026-26012 vaultwarden: Vaultwarden: Information disclosure due to bypassed collection permissions [epel-10]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-EPEL-2026-d5e54be3b9 (vaultwarden-1.36.0-1.el10_3) has been submitted as an update to Fedora EPEL 10.3.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-d5e54be3b9
---
FEDORA-EPEL-2026-d857066999 (vaultwarden-1.36.0-1.el10_2) has been submitted as an update to Fedora EPEL 10.2.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-d857066999
---
FEDORA-EPEL-2026-d857066999 has been pushed to the Fedora EPEL 10.2 testing re
Bugzilla
CVE-2026-26012 vaultwarden: Vaultwarden: Information disclosure due to bypassed collection permissions [fedora-43]
bugzilla·2026-02-12·CVSS 6.5
CVE-2026-26012 [MEDIUM] CVE-2026-26012 vaultwarden: Vaultwarden: Information disclosure due to bypassed collection permissions [fedora-43]
CVE-2026-26012 vaultwarden: Vaultwarden: Information disclosure due to bypassed collection permissions [fedora-43]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-264f9ef567 (vaultwarden-1.36.0-1.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-264f9ef567
2026-02-11
Published