cbcvebase.
CVE-2026-27802
published 2026-03-04

CVE-2026-27802: Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, there is a privilege…

PriorityP352high8.3CVSS 3.1
AVNACLPRLUINSUCHIHAL
EPSS
0.29%
20.9th percentile
Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, there is a privilege escalation vulnerability via bulk permission update to unauthorized collections by Manager. This issue has been patched in version 1.35.4.

Affected

2 ranges
VendorProductVersion rangeFixed in
dani-garciavaultwarden< 1.35.41.35.4
dani-garciavaultwarden>= 0 < 1.35.41.35.4

CVSS provenance

nvdv3.18.3HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
vendor_redhat8.3HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.