{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26012", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T21:36:29.553Z", "datePublished": "2026-02-11T21:14:58.102Z", "dateUpdated": "2026-02-11T21:14:58.102Z"}, "containers": {"cna": {"title": "vaultwarden has Full Cipher Enumeration Ignoring Organization Collection Permissions", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h265-g7rm-h337", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h265-g7rm-h337"}, {"name": "https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.3"}], "affected": [{"vendor": "dani-garcia", "product": "vaultwarden", "versions": [{"version": "< 1.35.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-11T21:14:58.102Z"}, "descriptions": [{"lang": "en", "value": "vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to 1.35.3, a regular organization member can retrieve all ciphers within an organization, regardless of collection permissions. The endpoint /ciphers/organization-details is accessible to any organization member and internally uses Cipher::find_by_org to retrieve all ciphers. These ciphers are returned with CipherSyncType::Organization without enforcing collection-level access control. This vulnerability is fixed in 1.35.3."}], "source": {"advisory": "GHSA-h265-g7rm-h337", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to 1.35.3, a regular organization member can retrieve all ciphers within an organization, regardless of collection permissions. The endpoint /ciphers/organization-details is accessible to any organization member and internally uses Cipher::find_by_org to retrieve all ciphers. These ciphers are returned with CipherSyncType::Organization without enforcing collection-level access control. This vulnerability is fixed in 1.35.3."}], "id": "CVE-2026-26012", "lastModified": "2026-02-11T22:15:51.703", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-11T22:15:51.703", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.3"}, {"source": "security-advisories@github.com", "url": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h265-g7rm-h337"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "vaultwarden: Vaultwarden: Information disclosure due to bypassed collection permissions", "id": "2439184", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439184"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-1220", "details": ["A flaw was found in vaultwarden, an unofficial Bitwarden compatible server. A regular organization member can retrieve all ciphers (encrypted data) within an organization, bypassing collection-level access controls. This allows for unauthorized information disclosure, potentially exposing sensitive data."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-26012", "public_date": "2026-02-11T21:14:58Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-26012\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-26012\nhttps://github.com/dani-garcia/vaultwarden/releases/tag/1.35.3\nhttps://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h265-g7rm-h337"], "statement": "MODERATE: This flaw allows an authenticated organization member to bypass collection permissions and enumerate all ciphers within a Vaultwarden organization. This could lead to unauthorized disclosure of sensitive information. Red Hat does not ship Vaultwarden as part of its products; however, customers deploying Vaultwarden in their environment may be affected.", "threat_severity": "Moderate"}

{"created": "2026-02-12T09:03:15.033989+00:00", "updated": "2026-02-12T09:03:15.034096+00:00", "vendors": ["dani-garcia", "dani-garcia$PRODUCT$vaultwarden"]}