CVE-2026-27803 Overview
CVE-2026-27803 is an Improper Privilege Management vulnerability in Vaultwarden, an unofficial Bitwarden-compatible server written in Rust (formerly known as bitwarden_rs). Prior to version 1.35.4, when a Manager has manage=false for a given collection, they can still perform several management operations as long as they have access to the collection. This represents a broken access control issue that allows users with restricted permissions to bypass intended authorization controls.
Critical Impact
Users with Manager roles can bypass collection management restrictions, potentially allowing unauthorized modifications to password collections, user assignments, and collection settings despite explicit manage=false configuration.
Affected Products
- Vaultwarden versions prior to 1.35.4
- Self-hosted Bitwarden-compatible server deployments using Vaultwarden
- Organizations using Vaultwarden with Manager role-based access controls
Discovery Timeline
- 2026-03-04 - CVE CVE-2026-27803 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-27803
Vulnerability Analysis
This vulnerability is classified under CWE-269 (Improper Privilege Management), indicating a fundamental flaw in how Vaultwarden validates and enforces permission boundaries for Manager-level users. The core issue lies in insufficient authorization checks when processing management API requests against collections.
When a Manager is assigned to a collection with the manage=false flag, the system should restrict that user from performing administrative operations on that collection. However, the vulnerable versions fail to properly enforce this restriction at the API level. As long as the Manager has basic access to the collection (read/write permissions), they can invoke management endpoints that should be gated behind the manage=true permission.
This allows attackers with legitimate but limited Manager credentials to escalate their privileges within the organization's password vault infrastructure. The impact includes unauthorized modification of collection membership, user access changes, and potential exposure of sensitive credential data to unauthorized parties.
Root Cause
The root cause stems from incomplete authorization validation in Vaultwarden's collection management endpoints. The application correctly checks whether a user has Manager-level access to a collection but fails to verify the granular manage permission flag before processing administrative operations. This missing permission check creates a gap between the intended access control model and the actual enforcement behavior.
Attack Vector
The vulnerability is exploitable over the network by authenticated users with Manager roles. An attacker with a valid Manager account that has been explicitly denied management permissions (manage=false) on specific collections can bypass these restrictions through direct API calls.
The attack requires:
- A valid Vaultwarden account with Manager-level access
- Access to at least one collection (even with manage=false)
- Knowledge of the collection management API endpoints
The attacker can then perform unauthorized operations such as modifying collection settings, adding or removing users from collections, or changing collection permissions for other users. Since this requires authenticated access, the attack surface is limited to insider threats or compromised Manager accounts.
Detection Methods for CVE-2026-27803
Indicators of Compromise
- Unexpected changes to collection membership or permissions in audit logs
- Management API calls from Manager accounts with manage=false restrictions
- Anomalous administrative activity patterns from accounts with limited permissions
- Unauthorized user additions or removals from password collections
Detection Strategies
- Review Vaultwarden access logs for collection management operations performed by restricted Managers
- Implement monitoring for API calls to management endpoints from accounts with manage=false configuration
- Compare audit trail entries against expected permission boundaries for each Manager account
- Deploy API-level monitoring to detect authorization bypass attempts
Monitoring Recommendations
- Enable comprehensive audit logging for all collection management operations
- Configure alerts for permission changes on sensitive collections
- Implement regular access review processes to identify anomalous Manager activities
- Monitor for patterns of API abuse that indicate exploitation attempts
How to Mitigate CVE-2026-27803
Immediate Actions Required
- Upgrade Vaultwarden to version 1.35.4 or later immediately
- Review audit logs for any unauthorized management operations by restricted Managers
- Verify collection permission configurations are correctly applied after the upgrade
- Consider temporarily restricting Manager access to sensitive collections until patching is complete
Patch Information
The vulnerability has been patched in Vaultwarden version 1.35.4. Organizations running self-hosted Vaultwarden instances should update to this version or later to remediate the issue. The patch addresses the authorization bypass by implementing proper validation of the manage permission flag before allowing management operations on collections.
For detailed patch information and security advisory, refer to the GitHub Security Advisory GHSA-h4hq-rgvh-wh27.
Workarounds
- Temporarily revoke Manager access from untrusted users until patching is complete
- Remove collection access entirely for Managers who should not have management capabilities
- Implement network-level restrictions to limit API access to trusted endpoints
- Consider switching affected Managers to User-level access as an interim measure
# Update Vaultwarden to patched version
docker pull vaultwarden/server:1.35.4
docker stop vaultwarden
docker rm vaultwarden
docker run -d --name vaultwarden -v /vw-data/:/data/ -p 80:80 vaultwarden/server:1.35.4
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
