Vaultwarden Privilege Escalation Vulnerability in Collection Management
Vulnerability
A vulnerability in Vaultwarden prior to version 1.35.4 allows Managers to perform unauthorized collection management operations. Even with 'manage=false' permissions, they can update collection settings, escalate privileges to 'manage=true', and delete collections. This issue arises because the access check for management endpoints only verifies if a user can access the collection, not if they have management rights. As a result, restricted Managers can bypass intended access limitations and gain equivalent control to an administrator over the collection.
Impact
Exploitation of this vulnerability could lead to unauthorized privilege escalation, allowing a Manager to gain full control over a collection, including the ability to delete it. Such actions could disrupt business operations and cause loss of data.
Reproduction
To reproduce this vulnerability, a Manager must access a collection where their 'manage' permission is set to false. They can then use the API to perform management operations, such as updating collection settings or deleting the collection, despite lacking the necessary management rights. This can be done by sending requests to the appropriate collection management endpoints with a valid API access token.
Remediation
Users are advised to update Vaultwarden to version 1.35.4 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.