Vaultwarden Privilege Escalation Vulnerability via Unauthorized Bulk Permission Updates
Vulnerability
A privilege escalation vulnerability has been identified in Vaultwarden versions prior to 1.35.4. This issue allows Manager accounts to unlawfully access collections by using the bulk-access API to update permissions for collections not originally assigned to them. The vulnerability arises because the bulk-access API bypasses individual authorization checks, enabling unauthorized access to sensitive information. Exploitation can also disrupt access for legitimate users by deleting their collection assignments.
Impact
Exploitation of this vulnerability could lead to unauthorized access to sensitive information in restricted collections, unauthorized changes to collection permission settings, and potential disruption of access for legitimate users.
Reproduction
To reproduce this vulnerability, log in as a Manager with a valid account that does not have access to certain collections. Use the bulk-access API to change permission settings for the unassigned collections, which will be processed without proper authorization checks. After the bulk update, the standard update API will return a success response, confirming the unauthorized permission changes have been applied.
Remediation
Users are advised to update Vaultwarden to version 1.35.4 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.