CVE-2026-27898
published 2026-03-04CVE-2026-27898: Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, an authenticated regular…
PriorityP431medium5.4CVSS 3.1
AVNACLPRLUINSUCLILAN
EPSS
0.17%
6.3th percentile
Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, an authenticated regular user can specify another user’s cipher_id and call "PUT /api/ciphers/{id}/partial" Even though the standard retrieval API correctly denies access to that cipher, the partial update endpoint returns 200 OK and exposes cipherDetails (including name, notes, data, secureNote, etc.). This issue has been patched in version 1.35.4.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dani-garcia | vaultwarden | < 1.35.4 | 1.35.4 |
| dani-garcia | vaultwarden | >= 0 < 1.35.4 | 1.35.4 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
vendor_redhat5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
vaultwarden: Vaultwarden: Information disclosure via API partial update
vendor_redhat·2026-03-04·CVSS 5.4
CVE-2026-27898 [MEDIUM] CWE-639 vaultwarden: Vaultwarden: Information disclosure via API partial update
vaultwarden: Vaultwarden: Information disclosure via API partial update
Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, an authenticated regular user can specify another user’s cipher_id and call "PUT /api/ciphers/{id}/partial" Even though the standard retrieval API correctly denies access to that cipher, the partial update endpoint returns 200 OK and exposes cipherDetails (including name, notes, data, secureNote, etc.). This issue has been patched in version 1.35.4.
A flaw was found in Vaultwarden, an unofficial Bitwarden compatible server. An authenticated regular user can exploit this by specifying another user’s cipher identifier (cipher_id) and making a partial update request to the API. This action b
OSV
Vaultwarden has Unauthorized Access via Partial Update API on Another User’s Cipher
osv·2026-03-04
CVE-2026-27898 [MEDIUM] Vaultwarden has Unauthorized Access via Partial Update API on Another User’s Cipher
Vaultwarden has Unauthorized Access via Partial Update API on Another User’s Cipher
## Summary
In the test environment, it was confirmed that an authenticated regular user can specify another user’s `cipher_id` and call:
```
PUT /api/ciphers/{id}/partial
```
Even though the standard retrieval API correctly denies access to that cipher, the partial update endpoint returns **200 OK** and exposes `cipherDetails` (including `name`, `notes`, `data`, `secureNote`, etc.).
## Description
`put_cipher_partial` retrieves the target Cipher but does **not perform ownership or access control checks** before returning `to_json`.
Authorization checks present in the normal update API are missing here.
src/api/core/ciphers.rs:717
```rust
let Some(cipher) = Cipher::find_by_uuid(&cipher_id, &conn).awa
GHSA
Vaultwarden has Unauthorized Access via Partial Update API on Another User’s Cipher
ghsa·2026-03-04
CVE-2026-27898 [MEDIUM] CWE-639 Vaultwarden has Unauthorized Access via Partial Update API on Another User’s Cipher
Vaultwarden has Unauthorized Access via Partial Update API on Another User’s Cipher
## Summary
In the test environment, it was confirmed that an authenticated regular user can specify another user’s `cipher_id` and call:
```
PUT /api/ciphers/{id}/partial
```
Even though the standard retrieval API correctly denies access to that cipher, the partial update endpoint returns **200 OK** and exposes `cipherDetails` (including `name`, `notes`, `data`, `secureNote`, etc.).
## Description
`put_cipher_partial` retrieves the target Cipher but does **not perform ownership or access control checks** before returning `to_json`.
Authorization checks present in the normal update API are missing here.
src/api/core/ciphers.rs:717
```rust
let Some(cipher) = Cipher::find_by_uuid(&cipher_id, &conn).awa
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-27898 vaultwarden-web: Vaultwarden: Information disclosure via API partial update [fedora-42]
bugzilla·2026-03-05·CVSS 5.4
CVE-2026-27898 [MEDIUM] CVE-2026-27898 vaultwarden-web: Vaultwarden: Information disclosure via API partial update [fedora-42]
CVE-2026-27898 vaultwarden-web: Vaultwarden: Information disclosure via API partial update [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained ver
Bugzilla
CVE-2026-27898 vaultwarden: Vaultwarden: Information disclosure via API partial update [fedora-42]
bugzilla·2026-03-05·CVSS 5.4
CVE-2026-27898 [MEDIUM] CVE-2026-27898 vaultwarden: Vaultwarden: Information disclosure via API partial update [fedora-42]
CVE-2026-27898 vaultwarden: Vaultwarden: Information disclosure via API partial update [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version
Bugzilla
CVE-2026-27898 vaultwarden-web: Vaultwarden: Information disclosure via API partial update [fedora-43]
bugzilla·2026-03-05·CVSS 5.4
CVE-2026-27898 [MEDIUM] CVE-2026-27898 vaultwarden-web: Vaultwarden: Information disclosure via API partial update [fedora-43]
CVE-2026-27898 vaultwarden-web: Vaultwarden: Information disclosure via API partial update [fedora-43]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-064873552d (vaultwarden-web-2026.4.1-1.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-064873552d
Bugzilla
CVE-2026-27898 vaultwarden-web: Vaultwarden: Information disclosure via API partial update [epel-10]
bugzilla·2026-03-05·CVSS 5.4
CVE-2026-27898 [MEDIUM] CVE-2026-27898 vaultwarden-web: Vaultwarden: Information disclosure via API partial update [epel-10]
CVE-2026-27898 vaultwarden-web: Vaultwarden: Information disclosure via API partial update [epel-10]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-EPEL-2026-c4971fa237 (vaultwarden-web-2026.4.1-1.el10_2) has been submitted as an update to Fedora EPEL 10.2.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-c4971fa237
---
FEDORA-EPEL-2026-c4971fa237 has been pushed to the Fedora EPEL 10.2 testing repository.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-c4971fa237
See also https://fedoraproject.org/wiki/QA:Updates_Testing for m
Wiz
CVE-2026-27898 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-27898 [MEDIUM] CVE-2026-27898 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27898 :
Rust vulnerability analysis and mitigation
Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, an authenticated regular user can specify another user’s cipher_id and call "PUT /api/ciphers/{id}/partial" Even though the standard retrieval API correctly denies access to that cipher, the partial update endpoint returns 200 OK and exposes cipherDetails (including name, notes, data, secureNote, etc.). This issue has been patched in version 1.35.4.
Source : NVD
## 5.4
Score
Published March 4, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
Rust
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Perc
2026-03-04
Published