CVE-2026-26012

vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to 1.35.3, a regular organization member can retrieve all ciphers within an organization, regardless of collection permissions. The endpoint /ciphers/organization-details is accessible to any organization member and internally uses Cipher::find_by_org to retrieve all ciphers. These ciphers are returned with CipherSyncType::Organization without enforcing collection-level access control. This vulnerability is fixed in 1.35.3.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.3	Product Release Notes
https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h265-g7rm-h337	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:dani-garcia:vaultwarden:*:*:*:*:*:*:*:*

History

13 Feb 2026, 21:41

Type	Values Removed	Values Added
First Time		Dani-garcia vaultwarden Dani-garcia
References	~~() https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.3 -~~	() https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.3 - Product, Release Notes
References	~~() https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h265-g7rm-h337 -~~	() https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h265-g7rm-h337 - Vendor Advisory
CPE		cpe:2.3:a:dani-garcia:vaultwarden::::::::

11 Feb 2026, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-11 22:15

Updated : 2026-02-13 21:41

NVD link : CVE-2026-26012

Mitre link : CVE-2026-26012

CVE.ORG link : CVE-2026-26012

JSON object : View

Products Affected

dani-garcia

vaultwarden

CWE

CWE-863

Incorrect Authorization

6.5 /10