Cyber Resilience

CVE-2026-43912

HighPublic PoC

Published: 11 May 2026

Published
11 May 2026
Modified
15 May 2026
KEV Added
Patch
CVSS Score v3.1 8.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0029 20.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-43912 is a high-severity Improper Authorization (CWE-285) vulnerability in Dani-Garcia Vaultwarden. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden does not enforce that a groups_users.users_organizations_uuid entry belongs to the same organization as groups.groups_uuid, or a collections_groups.collections_uuid entry belongs to the same organization as collections_groups.groups_uuid. Multiple organization group-management…

more

endpoints accept arbitrary MembershipId and CollectionId values and persist them directly without verifying org consistency. This lets an attacker who is Admin in Organization A, and only a low-privileged member in Organization B bind their Org B membership UUID into an Org A group, then use that foreign group relationship to gain unauthorized access to Org B vault data. With an accessAll=true Org A group, the attacker can make /api/sync and /api/ciphers enumerate Org B ciphers. Once those unauthorized sync results reveal Org B collection IDs, the attacker can also bind those foreign collection IDs to the Org A group and turn the same flaw into write access over Org B items. This vulnerability is fixed in 1.35.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1213 Data from Information Repositories Collection
Adversaries may leverage information repositories to mine valuable information.
Why these techniques?

Vuln in public-facing Vaultwarden server (T1190) enables authz bypass for cross-org data access (T1213) via improper group/collection binding, directly facilitating privilege escalation to unauthorized vault contents (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27803Same product: Dani-Garcia Vaultwarden
CVE-2024-55224Same product: Dani-Garcia Vaultwarden
CVE-2024-55225Same product: Dani-Garcia Vaultwarden
CVE-2026-27802Same product: Dani-Garcia Vaultwarden
CVE-2025-24365Same product: Dani-Garcia Vaultwarden
CVE-2025-24364Same product: Dani-Garcia Vaultwarden
CVE-2026-43913Same product: Dani-Garcia Vaultwarden
CVE-2026-43914Same product: Dani-Garcia Vaultwarden
CVE-2026-32716Shared CWE-285
CVE-2025-26683Shared CWE-285

Affected Assets

dani-garcia
vaultwarden
≤ 1.35.5

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-285

Documented procedures facilitate correct implementation and ongoing management of authorization decisions.

addresses: CWE-285

Periodic reviews identify and correct flaws in authorization decisions or enforcement.

addresses: CWE-285

The control's documentation requirement reduces improper authorization by ensuring only mission-justified actions bypass authentication.

addresses: CWE-285

Establishing permitted attributes and values, plus auditing changes, ensures authorization decisions are based on correctly managed policy data.

addresses: CWE-285

Explicitly mandates authorizing remote access types before permitting connections, directly mitigating improper authorization.

addresses: CWE-285

The control explicitly requires authorization of each wireless access type prior to permitting connections.

addresses: CWE-285

Mandating explicit authorization of mobile device connections reduces the risk of improper authorization decisions for system access.

addresses: CWE-285

Specifying access authorizations for each account and requiring approvals for account requests enforces proper authorization decisions.

References