Vaultwarden Missing Authorization Vulnerability in Collection Details Endpoint Allows Unauthorized Access to Organizational Data
Vulnerability
A vulnerability exists in Vaultwarden versions through 1.35.4, specifically in the get_org_collections_details endpoint. This endpoint lacks the necessary has_full_access authorization check, which is present in the related get_org_collections endpoint. As a result, any Manager-role user with accessAll=False and no collection assignments can access the names, UUIDs, and user-to-collection and group-to-collection mappings for all collections within the organization. This issue has been addressed in version 1.35.5.
Impact
Exploitation of this vulnerability allows a Manager with limited collection access to enumerate all collection names, potentially exposing sensitive organizational information, such as 'Executive Passwords' or 'Financial Systems'. Additionally, it enables the discovery of user-to-collection mappings and group-to-collection assignments, violating the principle of least privilege and facilitating reconnaissance for further attacks.
Remediation
Users are advised to update to Vaultwarden version 1.35.5, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.