Dani-Garcia Vaultwarden vulnerabilities
20 known vulnerabilities affecting dani-garcia/vaultwarden.
Total CVEs
20
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH9MEDIUM8
Vulnerabilities
Page 1 of 1
CVE-2024-39924P2HIGHCVSS 8.8v1.30.32024-09-13
CVE-2024-39924 [HIGH] CWE-276 CVE-2024-39924: An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. A vulnerability has been iden
An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. A vulnerability has been identified in the authentication and authorization process of the endpoint responsible for altering the metadata of an emergency access. It permits an attacker with granted emergency access to escalate their privileges by changing the access level and modif
nvd
CVE-2026-43914P3CRITICALCVSS 9.8fixed in 1.35.42026-05-11
CVE-2026-43914 [CRITICAL] CWE-307 CVE-2026-43914: Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security v
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login brute-force protection if email 2fa is enabled. If email 2fa is enabled, the unprotected 2fa-function send_email_login (email.rs, api endpoint /api/two-factor/send-email-login) also acts as
nvd
CVE-2024-55225P3CRITICALCVSS 9.8fixed in 1.32.52025-01-09
CVE-2024-55225 [CRITICAL] CWE-276 CVE-2024-55225: An issue in the component src/api/identity.rs of Vaultwarden prior to v1.32.5 allows attackers to im
An issue in the component src/api/identity.rs of Vaultwarden prior to v1.32.5 allows attackers to impersonate users, including Administrators, via a crafted authorization request.
ghsanvdosv
CVE-2026-43912P3HIGHCVSS 8.7fixed in 1.35.52026-05-11
CVE-2026-43912 [HIGH] CWE-285 CVE-2026-43912: Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden does not
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden does not enforce that a groups_users.users_organizations_uuid entry belongs to the same organization as groups.groups_uuid, or a collections_groups.collections_uuid entry belongs to the same organization as collections_groups.groups_uuid. Multiple organization gr
nvd
CVE-2026-27802P3HIGHCVSS 8.3fixed in 1.35.42026-03-04
CVE-2026-27802 [HIGH] CWE-269 CVE-2026-27802: Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarde
Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, there is a privilege escalation vulnerability via bulk permission update to unauthorized collections by Manager. This issue has been patched in version 1.35.4.
ghsanvdosv
CVE-2026-27803P3HIGHCVSS 8.3fixed in 1.35.42026-03-04
CVE-2026-27803 [HIGH] CWE-269 CVE-2026-27803: Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarde
Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, when a Manager has manage=false for a given collection, they can still perform several management operations as long as they have access to the collection. This issue has been patched in version 1.35.4.
ghsanvdosv
CVE-2026-43911P3HIGHCVSS 8.1fixed in 1.35.52026-05-11
CVE-2026-43911 [HIGH] CWE-613 CVE-2026-43911: Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, refresh tokens are no
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, refresh tokens are not invalidated when the user's security_stamp is rotated by some security-sensitive operations (password change, KDF change, key rotation, email change, org admin password reset, emergency access takeover). This allows an attacker holding a previously ob
nvd
CVE-2026-43913P3HIGHCVSS 8.1fixed in 1.35.52026-05-11
CVE-2026-43913 [HIGH] CWE-863 CVE-2026-43913: Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden allows an
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden allows an unconfirmed organization owner to purge the entire organization vault. The organization invite flow uses a two-step process: accepting an invite transitions membership from Invited to Accepted, and a separate confirmation by an existing owner upgrades
nvd
CVE-2024-56335P3HIGHCVSS 7.5fixed in 1.32.72024-12-20
CVE-2024-56335 [HIGH] CWE-269 CVE-2024-56335: vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarde
vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. In affected versions an attacker is capable of updating or deleting groups from an organization given a few conditions: 1. The attacker has a user account in the server. 2. The attacker's account has admin or owner permissions in an unrelated orga
nvd
CVE-2025-24364P3HIGHCVSS 7.2fixed in 1.33.02025-01-27
CVE-2025-24364 [HIGH] CWE-74 CVE-2025-24364: vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarde
vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Attacker with authenticated access to the vaultwarden admin panel can execute arbitrary code in the system. The attacker could then change some settings to use sendmail as mail agent but adjust the settings in such a way that it would use a shell c
nvd
CVE-2025-24365P3HIGHCVSS 7.5fixed in 1.33.02025-01-27
CVE-2025-24365 [HIGH] CWE-284 CVE-2025-24365: vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarde
vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Attacker can obtain owner rights of other organization. Hacker should know the ID of victim organization (in real case the user can be a part of the organization as an unprivileged user) and be the owner/admin of other organization (by default you
nvd
CVE-2024-55224P3CRITICALCVSS 9.6fixed in 1.32.52025-01-09
CVE-2024-55224 [CRITICAL] CWE-79 CVE-2024-55224: An HTML injection vulnerability in Vaultwarden prior to v1.32.5 allows attackers to execute arbitrar
An HTML injection vulnerability in Vaultwarden prior to v1.32.5 allows attackers to execute arbitrary code via injecting a crafted payload into the username field of an e-mail message.
ghsanvdosv
CVE-2024-39925P3MEDIUMCVSS 6.5v1.30.32024-09-13
CVE-2024-39925 [MEDIUM] CWE-200 CVE-2024-39925: An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. It lacks an offboarding proce
An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. It lacks an offboarding process for members who leave an organization. As a result, the shared organization key is not rotated when a member departs. Consequently, the departing member, whose access should be revoked, retains a copy of the organization key. Additionally, the appl
nvd
CVE-2026-27801P3MEDIUMCVSS 5.9fixed in 1.35.02026-03-04
CVE-2026-27801 [MEDIUM] CWE-307 CVE-2026-27801: Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarde
Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Vaultwarden versions 1.34.3 and prior are susceptible to a 2FA bypass when performing protected actions. An attacker who gains authenticated access to a user’s account can exploit this bypass to perform protected actions such as accessing the us
ghsanvdosv
CVE-2026-26012P3MEDIUMCVSS 6.5fixed in 1.35.32026-02-11
CVE-2026-26012 [MEDIUM] CWE-863 CVE-2026-26012: vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarde
vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to 1.35.3, a regular organization member can retrieve all ciphers within an organization, regardless of collection permissions. The endpoint /ciphers/organization-details is accessible to any organization member and internally uses Cipher:
nvd
CVE-2026-31835P3MEDIUMCVSS 5.4fixed in 1.35.52026-05-05
CVE-2026-31835 [MEDIUM] CWE-345 CVE-2026-31835: Vaultwarden is a Bitwarden-compatible server written in Rust. In versions 1.35.4 and earlier, the We
Vaultwarden is a Bitwarden-compatible server written in Rust. In versions 1.35.4 and earlier, the WebAuthn authentication flow in `validate_webauthn_login()` updates persistent credential metadata (1backup_eligible1 and 1backup_state flags1) based on unverified `authenticatorData` before signature validation is performed. An attacker who knows a use
nvd
CVE-2026-27898P4MEDIUMCVSS 5.4fixed in 1.35.42026-03-04
CVE-2026-27898 [MEDIUM] CWE-639 CVE-2026-27898: Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarde
Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, an authenticated regular user can specify another user’s cipher_id and call "PUT /api/ciphers/{id}/partial" Even though the standard retrieval API correctly denies access to that cipher, the partial update endpoint retur
ghsanvdosv
CVE-2026-33420P4MEDIUMCVSS 5.3fixed in 1.35.52026-05-05
CVE-2026-33420 [MEDIUM] CWE-862 CVE-2026-33420: Vaultwarden is a Bitwarden-compatible server written in Rust. In version 1.35.4 and earlier, the get
Vaultwarden is a Bitwarden-compatible server written in Rust. In version 1.35.4 and earlier, the get_org_collections_details endpoint (GET /api/organizations/{org_id}/collections/details) is missing the has_full_access() authorization check that exists on the sibling get_org_collections endpoint. This allows any Manager-role user with accessAll=Fals
nvd
CVE-2024-39926P4MEDIUMCVSS 5.4v1.30.32024-09-13
CVE-2024-39926 [MEDIUM] CWE-79 CVE-2024-39926: An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. A stored cross-site scripting
An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. A stored cross-site scripting (XSS) or, due to the default CSP, HTML injection vulnerability has been discovered in the admin dashboard. This potentially allows an authenticated attacker to inject malicious code into the dashboard, which is then executed or rendered in the context
nvd
CVE-2024-55226P4MEDIUMCVSS 5.4v1.32.52025-01-09
CVE-2024-55226 [MEDIUM] CWE-79 CVE-2024-55226: Vaultwarden v1.32.5 was discovered to contain an authenticated reflected cross-site scripting (XSS)
Vaultwarden v1.32.5 was discovered to contain an authenticated reflected cross-site scripting (XSS) vulnerability via the component /api/core/mod.rs.
ghsanvdosv