CVE-2026-33420: CWE-862: Missing Authorization in dani-garcia vaultwarden
Vaultwarden versions 1.35.4 and earlier contain a missing authorization check in the get_org_collections_details API endpoint. This flaw allows users with Manager role but restricted access (accessAll=False and no collection assignments) to retrieve sensitive organizational collection metadata, including names, UUIDs, and user/group-to-collection mappings. The issue was resolved in version 1.35.5.
AI Analysis
Technical Summary
CVE-2026-33420 is a missing authorization vulnerability (CWE-862) in Vaultwarden, a Bitwarden-compatible server written in Rust. Specifically, the GET /api/organizations/{org_id}/collections/details endpoint lacks the has_full_access() authorization check present in a related endpoint. This permits Manager-role users without full access to enumerate all collections' metadata within an organization. The vulnerability affects Vaultwarden versions prior to 1.35.5 and has a CVSS 4.0 base score of 5.3 (medium severity).
Potential Impact
An attacker with Manager role but limited collection access can retrieve detailed organizational collection information, including collection names, UUIDs, and mappings of users and groups to collections. This exposure could aid in further reconnaissance or privilege escalation attempts within the organization. There is no indication of direct data modification or broader privilege escalation from this vulnerability alone.
Mitigation Recommendations
Upgrade Vaultwarden to version 1.35.5 or later, where the missing authorization check has been implemented. Since this is an on-premises product, administrators must apply the update manually. Patch status is not explicitly stated but the vendor fixed the issue in 1.35.5, so applying this version is the recommended remediation.
CVE-2026-33420: CWE-862: Missing Authorization in dani-garcia vaultwarden
Description
Vaultwarden versions 1.35.4 and earlier contain a missing authorization check in the get_org_collections_details API endpoint. This flaw allows users with Manager role but restricted access (accessAll=False and no collection assignments) to retrieve sensitive organizational collection metadata, including names, UUIDs, and user/group-to-collection mappings. The issue was resolved in version 1.35.5.
CVSS v4.0
Score 5.3medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-33420 is a missing authorization vulnerability (CWE-862) in Vaultwarden, a Bitwarden-compatible server written in Rust. Specifically, the GET /api/organizations/{org_id}/collections/details endpoint lacks the has_full_access() authorization check present in a related endpoint. This permits Manager-role users without full access to enumerate all collections' metadata within an organization. The vulnerability affects Vaultwarden versions prior to 1.35.5 and has a CVSS 4.0 base score of 5.3 (medium severity).
Potential Impact
An attacker with Manager role but limited collection access can retrieve detailed organizational collection information, including collection names, UUIDs, and mappings of users and groups to collections. This exposure could aid in further reconnaissance or privilege escalation attempts within the organization. There is no indication of direct data modification or broader privilege escalation from this vulnerability alone.
Mitigation Recommendations
Upgrade Vaultwarden to version 1.35.5 or later, where the missing authorization check has been implemented. Since this is an on-premises product, administrators must apply the update manually. Patch status is not explicitly stated but the vendor fixed the issue in 1.35.5, so applying this version is the recommended remediation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-19T18:45:22.432Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fa46b8cbff5d86101f9ffb
Added to database: 5/5/2026, 7:36:24 PM
Last enriched: 5/13/2026, 3:49:38 AM
Last updated: 6/20/2026, 7:33:22 AM
Views: 99
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.