Vault Unlocked: High-Severity Flaws in Vaultwarden Expose Encrypted Secrets and Allow Privilege Escalation

Security researchers have identified a series of critical vulnerabilities in Vaultwarden, the popular lightweight, self-hosted alternative to the Bitwarden API. The flaws range from unauthorized privilege escalation to a data leak that allows users to download encrypted secrets belonging to others.

Vaultwarden is a favorite for home-lab enthusiasts and small businesses seeking a privacy-focused password management solution without the resource overhead of the official enterprise stack.

The first set of vulnerabilities, CVE-2026-27803 and CVE-2026-27802, target the “Manager” role within Vaultwarden organizations.

• Permission Bypass: Researchers confirmed that even when a Manager is explicitly denied management rights (manage=false) for a specific collection, they can still perform administrative actions. This includes modifying collection settings, changing user assignments, and even deleting the collection entirely.
• Bulk Escalation: In a more severe “unauthorized privilege escalation,” a Manager can directly invoke a bulk-access API to grant themselves permissions over collections that were never assigned to them.

These flaws undermine the integrity of organizational access controls, potentially allowing a single sub-administrator to gain unauthorized access to every restricted collection within the vault.

The third flaw is CVE-2026-27898, a vulnerability that allows any authenticated regular user to view and download data from another user’s encrypted vault entries.

While standard retrieval APIs correctly block unauthorized access, a specific “Partial Update” endpoint (PUT /api/ciphers/{id}/partial) does not.

By simply providing the cipher_id of another user, an attacker receives a full response containing sensitive cipherDetails, including the entry’s name, notes, and encrypted data.

Even more critical, the response includes tokenized URLs for attachments. Attackers can use these links to directly download attachment files—such as identity documents or private keys—that they are not authorized to see.

All three vulnerabilities impact Vaultwarden installations running version 1.35.3.

The development team has released a critical security update to address these issues. Vaultwarden users are strongly urged to upgrade to version 1.35.4 immediately to secure their vaults.