CVE-2026-33420— Vaultwarden missing authorization check allows Manager-role users to enumerate all collections
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-33420
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Vaultwarden missing authorization check allows Manager-role users to enumerate all collections
Source: NVD (National Vulnerability Database)
Vulnerability Description
Vaultwarden is a Bitwarden-compatible server written in Rust. In version 1.35.4 and earlier, the get_org_collections_details endpoint (GET /api/organizations/{org_id}/collections/details) is missing the has_full_access() authorization check that exists on the sibling get_org_collections endpoint. This allows any Manager-role user with accessAll=False and no collection assignments to retrieve the names, UUIDs, user-to-collection mappings, and group-to-collection mappings for all collections in the organization. This issue has been fixed in version 1.35.5.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制缺失
Source: NVD (National Vulnerability Database)
Vulnerability Title
Vaultwarden 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Vaultwarden是Daniel García个人开发者的一个用 Rust 编写的 Bitwarden 服务器 API 的替代实现。 Vaultwarden 1.35.4及之前版本存在安全漏洞,该漏洞源于get_org_collections_details端点缺少has_full_access授权检查,可能导致Manager角色用户检索组织内所有集合的名称、UUID和映射信息。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| dani-garcia | vaultwarden | < 1.35.5 | - |
II. Public POCs for CVE-2026-33420
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-33420
请登录查看更多情报信息。
- Release 1.35.5 · dani-garcia/vaultwarden · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-33420
IV. Related Vulnerabilities
Same product: vaultwarden
- CVE-2026-31835
Vaultwarden WebAuthn credential metadata tampered before sig - CVE-2026-27898
Vaultwarden: Unauthorized Access via Partial Update API on A - CVE-2026-27803
Vaultwarden: Collection Management Operations Allowed Withou - CVE-2026-27802
Vaultwarden: Privilege Escalation via Bulk Permission Update - CVE-2026-27801
Vaultwarden: 2FA Bypass on Protected Actions due to Faulty R
Same vendor: dani-garcia
- CVE-2026-31835
Vaultwarden WebAuthn credential metadata tampered before sig - CVE-2026-27898
Vaultwarden: Unauthorized Access via Partial Update API on A - CVE-2026-27803
Vaultwarden: Collection Management Operations Allowed Withou - CVE-2026-27802
Vaultwarden: Privilege Escalation via Bulk Permission Update - CVE-2026-27801
Vaultwarden: 2FA Bypass on Protected Actions due to Faulty R
Same weakness: CWE-862
- CVE-2021-47932
WordPress TheCartPress 1.5.3.6 Privilege Escalation Unauthen - CVE-2025-15634
HCL BigFix WebUI is affected by a missing authorization vuln - CVE-2026-42297
Argo Workflows Is Missing Authorization in Sync ConfigMap Pr - CVE-2026-42174
Kirby: User avatar creation, replacement and deletion are no - CVE-2026-42137
Kirby: `pages.access/list` and `files.access/list` permissio
V. Comments for CVE-2026-33420
No comments yet