CVE-2026-27802
Published: 04 March 2026
Summary
CVE-2026-27802 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Dani-Garcia Vaultwarden. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 16.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to system resources, directly preventing Managers from performing bulk permission updates on unauthorized collections.
Requires correct access control decisions based on policy for modifying collection permissions, addressing the incorrect authorization flaw (CWE-863).
Applies least privilege to limit Manager role capabilities, mitigating improper privilege management (CWE-269) and escalation to unauthorized collections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE explicitly describes a privilege escalation vulnerability (CWE-269/863) in an authenticated context that allows unauthorized bulk permission modifications, directly mapping to Exploitation for Privilege Escalation.
NVD Description
Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, there is a privilege escalation vulnerability via bulk permission update to unauthorized collections by Manager. This issue has been patched in version…
more
1.35.4.
Deeper analysisAI
CVE-2026-27802 is a privilege escalation vulnerability in Vaultwarden, an unofficial Bitwarden-compatible server written in Rust and formerly known as bitwarden_rs. Affecting versions prior to 1.35.4, the flaw allows a Manager to perform bulk permission updates on unauthorized collections, violating intended access controls. It is rated with a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L) and is associated with CWE-269 (Improper Privilege Management) and CWE-863 (Incorrect Authorization).
An authenticated attacker with low privileges, specifically a Manager role, can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation enables the attacker to escalate privileges by modifying permissions on collections they should not access, potentially resulting in high confidentiality and integrity impacts, such as unauthorized data exposure or alteration, alongside limited availability disruption.
The issue has been patched in Vaultwarden version 1.35.4. Additional details and mitigation guidance are available in the GitHub Security Advisory at https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-r32r-j5jq-3w4m.
Details
- CWE(s)