Cyber Resilience

CVE-2026-27802

High

Published: 04 March 2026

Published
04 March 2026
Modified
06 March 2026
KEV Added
Patch
CVSS Score v3.1 8.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0029 20.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-27802 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Dani-Garcia Vaultwarden. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 20.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-27802 is a privilege escalation vulnerability in Vaultwarden, an unofficial Bitwarden-compatible server written in Rust and formerly known as bitwarden_rs. Affecting versions prior to 1.35.4, the flaw allows a Manager to perform bulk permission updates on unauthorized collections, violating intended access controls. It is rated with a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L) and is associated with CWE-269 (Improper Privilege Management) and CWE-863 (Incorrect Authorization).

An authenticated attacker with low privileges, specifically a Manager role, can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation enables the attacker to escalate privileges by modifying permissions on collections they should not access, potentially resulting in high confidentiality and integrity impacts, such as unauthorized data exposure or alteration, alongside limited availability disruption.

The issue has been patched in Vaultwarden version 1.35.4. Additional details and mitigation guidance are available in the GitHub Security Advisory at https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-r32r-j5jq-3w4m.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, there is a privilege escalation vulnerability via bulk permission update to unauthorized collections by Manager. This issue has been patched in version…

more

1.35.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The CVE explicitly describes a privilege escalation vulnerability (CWE-269/863) in an authenticated context that allows unauthorized bulk permission modifications, directly mapping to Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27803Same product: Dani-Garcia Vaultwarden
CVE-2025-24365Same product: Dani-Garcia Vaultwarden
CVE-2026-43913Same product: Dani-Garcia Vaultwarden
CVE-2026-43912Same product: Dani-Garcia Vaultwarden
CVE-2026-43914Same product: Dani-Garcia Vaultwarden
CVE-2024-55224Same product: Dani-Garcia Vaultwarden
CVE-2025-24364Same product: Dani-Garcia Vaultwarden
CVE-2024-55225Same product: Dani-Garcia Vaultwarden
CVE-2026-27899Shared CWE-269, CWE-863
CVE-2026-23896Shared CWE-269

Affected Assets

dani-garcia
vaultwarden
≤ 1.35.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to system resources, directly preventing Managers from performing bulk permission updates on unauthorized collections.

prevent

Requires correct access control decisions based on policy for modifying collection permissions, addressing the incorrect authorization flaw (CWE-863).

prevent

Applies least privilege to limit Manager role capabilities, mitigating improper privilege management (CWE-269) and escalation to unauthorized collections.

References