Vaultwarden Full Cipher Enumeration Vulnerability Allowing Unauthorized Data Access

A vulnerability in Vaultwarden, an unofficial Bitwarden-compatible server, allows regular organization members to access all ciphers within their organization, regardless of collection permissions. This issue exists in versions prior to 1.35.3. The vulnerability arises because the endpoint '/ciphers/organization-details' retrieves all ciphers without enforcing collection-level access controls. As a result, an attacker could obtain encrypted data, keys, and attachment metadata from ciphers they should not have access to.

Impact

Exploitation of this vulnerability bypasses collection-based access controls, leading to unauthorized access to sensitive data, including encrypted cipher information, keys, and attachment metadata, which could be decrypted on the client side.

Reproduction

To reproduce this vulnerability, log in as a regular organization member who does not have access to certain collections. Then, call the '/ciphers/organization-details' endpoint. The response will include all ciphers in the organization, ignoring collection restrictions, allowing access to data from other members' ciphers.

Remediation

Users are advised to update Vaultwarden to version 1.35.3 or later.