Vaultwarden Authentication Bypass Vulnerability Allowing User Impersonation
Vulnerability
A vulnerability in Vaultwarden's identity management component, present in versions prior to 1.32.5, allows attackers to impersonate users, including administrators. This is achieved by exploiting a flaw in the authorization request handling, where an unauthenticated attacker can create an auth request for one user and use it to log in as another user. The vulnerability arises because the auth request is not properly linked to the user, enabling unauthorized access to user data and, in the case of organizations, the ability to access and decrypt sensitive key material.
Impact
Exploitation of this vulnerability allows for unauthorized user impersonation, including administrative roles, and access to sensitive user data. In organizational contexts, it enables access to decrypted key material by impersonating a higher-privileged user.
Reproduction
To reproduce this vulnerability, an unauthenticated request must be sent to the '/api/auth-requests' endpoint to create an authorization request. This request can then be used to log in as another user by sending a crafted request to the '/identity/connect/token' endpoint, bypassing the normal authentication checks.
Remediation
Users are advised to update Vaultwarden to version 1.32.5 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.