Vaultwarden Cross-Organization Privilege Escalation Vulnerability

A vulnerability in Vaultwarden prior to version 1.35.5 allows for cross-organization group binding, leading to unauthorized access to vault data. This issue arises because the application does not verify that group and collection entries belong to the same organization. An attacker with admin rights in one organization can exploit this flaw to access and manipulate data in another organization where they hold a lower privilege.

Impact

Exploitation of this vulnerability breaks organizational isolation, allowing an attacker to access and modify vault items in a different organization.

Reproduction

To reproduce this vulnerability, an attacker must be an admin in one organization and a low-privileged member in another. The attacker can then bind their membership UUID from the second organization into a group in the first organization, bypassing organizational checks. After this, the attacker can use the group's permissions to access vault data from the second organization. Additionally, the attacker can extend this access to write operations by re-binding collection IDs from the leaked data into the same group.

Remediation

Users are advised to update Vaultwarden to version 1.35.5 or later.