CVE-2026-27803
Published: 04 March 2026
Summary
CVE-2026-27803 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Dani-Garcia Vaultwarden. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 16.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Employs the principle of least privilege to ensure managers with manage=false cannot perform unauthorized management operations on collections, directly addressing CWE-269 Improper Privilege Management.
Enforces approved authorizations for access to system resources, preventing the authorization bypass that allowed restricted managers to execute management actions.
Determines and authorizes access based on role-specific attributes like manage=false for collections, mitigating CWE-285 and CWE-863 Incorrect Authorization flaws.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass in exposed server app directly enables remote low-priv users to perform unauthorized management actions (privilege escalation via T1068); maps to exploitation of public-facing application (T1190) per CVSS network vector and CWE-269/285/863.
NVD Description
Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, when a Manager has manage=false for a given collection, they can still perform several management operations as long as they have access…
more
to the collection. This issue has been patched in version 1.35.4.
Deeper analysisAI
CVE-2026-27803 is an authorization bypass vulnerability in Vaultwarden, an unofficial Bitwarden-compatible server written in Rust and formerly known as bitwarden_rs. In versions prior to 1.35.4, a user with a Manager role set to manage=false for a specific collection can still perform several management operations on that collection if they have access to it. The vulnerability carries a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L) and maps to CWE-269 (Improper Privilege Management), CWE-285 (Improper Authorization), and CWE-863 (Incorrect Authorization).
The attack requires low privileges—an authenticated Manager with collection access but without explicit manage permissions—and can be carried out remotely over the network with low complexity and no user interaction. Exploitation allows the attacker to execute unauthorized management actions on the collection, resulting in high impacts to confidentiality and integrity, such as unauthorized data access or modification, alongside a low availability impact.
Vaultwarden has addressed this issue in version 1.35.4. Additional details on the vulnerability and patch are available in the GitHub security advisory at https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h4hq-rgvh-wh27.
Details
- CWE(s)