Vaultwarden, an unofficial Bitwarden-compatible password management server written in Rust, suffered from an incorrect authorization vulnerability identified as CVE-2026-26012 (CWE-863). Prior to version 1.35.3, any regular member of an organization hosted on vaultwarden could retrieve all stored ciphers across the entire organization, bypassing collection-level access restrictions. The vulnerability stems from the /ciphers/organization-details API endpoint, which is accessible to all organization members and internally calls Cipher::find_by_org to fetch ciphers. However, this function returns all ciphers tagged with CipherSyncType::Organization without validating if the requesting user has permission to access specific collections. Consequently, users with limited collection permissions could access sensitive credentials beyond their authorized scope. The flaw does not require elevated privileges beyond being an organization member, nor does it require user interaction, making exploitation straightforward if an attacker has network access. The vulnerability impacts confidentiality but does not affect integrity or availability. It was assigned a CVSS 3.1 base score of 6.5, reflecting a medium severity level. The issue was resolved in vaultwarden version 1.35.3 by enforcing proper collection-level access controls on the affected endpoint.

This vulnerability can lead to unauthorized disclosure of sensitive credentials stored within an organization's vaultwarden instance. Attackers or malicious insiders with regular organization membership can access all stored passwords and secrets, potentially leading to credential theft, lateral movement, and compromise of other connected systems. Since vaultwarden is often used to manage critical credentials, this exposure can have severe operational and security consequences, including data breaches and loss of trust. The impact is primarily on confidentiality, with no direct effect on data integrity or service availability. Organizations relying on vaultwarden for secure password management are at risk of internal data leakage and external compromise if the vulnerability is exploited. The ease of exploitation and the widespread use of vaultwarden in various sectors amplify the potential risk.

The primary mitigation is to upgrade vaultwarden to version 1.35.3 or later, where the vulnerability is fixed by enforcing collection-level access controls on the /ciphers/organization-details endpoint. Until upgrading, organizations should restrict network access to vaultwarden instances to trusted users only and monitor for unusual access patterns by organization members. Implementing strict organizational policies to limit membership and permissions can reduce exposure. Additionally, auditing access logs for suspicious retrieval of ciphers and educating users about the risk of insider threats can help mitigate impact. Organizations should also consider rotating sensitive credentials stored in vaultwarden after patching to limit potential damage from prior unauthorized access.