CVE-2026-27898

Medium CVSS: 5.4

Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, an authenticated regular user can specify another user’s cipher_id and call "PUT /api/ciphers/{id}/partial" Even though the standard retrieval API correctly denies access to that cipher, the partial update endpoint returns 200 OK and exposes cipherDetails (including name, notes, data, secureNote, etc.). This issue has been patched in version 1.35.4.

Vendor

Dani-garcia

Product

Vaultwarden

CWE

CWE-639

Yayın Tarihi

2026-03-04 22:16:18

Güncelleme

2026-03-06 19:45:12

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-639 Vaultwarden MEDIUM Dani-garcia 2026

Referanslar

https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-w9f8-m526-h7fh

Benzer Kayıtlar

High

CVE-2026-27802

Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to versi…

High

CVE-2026-27803

Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to versi…

Medium

CVE-2026-27801

Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Vaultwarden ve…

Medium

CVE-2026-26012

vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to 1.35.…

High

CVE-2025-24364

vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Attacker with…

High

CVE-2025-24365

vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Attacker can o…