{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26012", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T21:36:29.553Z", "datePublished": "2026-02-11T21:14:58.102Z", "dateUpdated": "2026-02-12T21:15:25.318Z"}, "containers": {"cna": {"title": "vaultwarden has Full Cipher Enumeration Ignoring Organization Collection Permissions", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h265-g7rm-h337", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h265-g7rm-h337"}, {"name": "https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.3"}], "affected": [{"vendor": "dani-garcia", "product": "vaultwarden", "versions": [{"version": "< 1.35.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-11T21:14:58.102Z"}, "descriptions": [{"lang": "en", "value": "vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to 1.35.3, a regular organization member can retrieve all ciphers within an organization, regardless of collection permissions. The endpoint /ciphers/organization-details is accessible to any organization member and internally uses Cipher::find_by_org to retrieve all ciphers. These ciphers are returned with CipherSyncType::Organization without enforcing collection-level access control. This vulnerability is fixed in 1.35.3."}], "source": {"advisory": "GHSA-h265-g7rm-h337", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-12T21:15:06.556593Z", "id": "CVE-2026-26012", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T21:15:25.318Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "vaultwarden has Full Cipher Enumeration Ignoring Organization Collection Permissions", "source": {"advisory": "GHSA-h265-g7rm-h337", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "dani-garcia", "product": "vaultwarden", "versions": [{"status": "affected", "version": "< 1.35.3"}]}], "references": [{"url": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h265-g7rm-h337", "name": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h265-g7rm-h337", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.3", "name": "https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to 1.35.3, a regular organization member can retrieve all ciphers within an organization, regardless of collection permissions. The endpoint /ciphers/organization-details is accessible to any organization member and internally uses Cipher::find_by_org to retrieve all ciphers. These ciphers are returned with CipherSyncType::Organization without enforcing collection-level access control. This vulnerability is fixed in 1.35.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-11T21:14:58.102Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26012", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-12T21:15:06.556593Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-02-12T21:15:21.617Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-26012", "state": "PUBLISHED", "dateUpdated": "2026-02-11T21:14:58.102Z", "dateReserved": "2026-02-09T21:36:29.553Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-11T21:14:58.102Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dani-garcia:vaultwarden:*:*:*:*:*:*:*:*", "matchCriteriaId": "79A968D5-FAC8-49BF-8FA6-8F54218D1875", "versionEndExcluding": "1.35.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to 1.35.3, a regular organization member can retrieve all ciphers within an organization, regardless of collection permissions. The endpoint /ciphers/organization-details is accessible to any organization member and internally uses Cipher::find_by_org to retrieve all ciphers. These ciphers are returned with CipherSyncType::Organization without enforcing collection-level access control. This vulnerability is fixed in 1.35.3."}], "id": "CVE-2026-26012", "lastModified": "2026-02-13T21:41:01.003", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-11T22:15:51.703", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.3"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h265-g7rm-h337"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "vaultwarden: Vaultwarden: Information disclosure due to bypassed collection permissions", "id": "2439184", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439184"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-1220", "details": ["A flaw was found in vaultwarden, an unofficial Bitwarden compatible server. A regular organization member can retrieve all ciphers (encrypted data) within an organization, bypassing collection-level access controls. This allows for unauthorized information disclosure, potentially exposing sensitive data."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-26012", "public_date": "2026-02-11T21:14:58Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-26012\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-26012\nhttps://github.com/dani-garcia/vaultwarden/releases/tag/1.35.3\nhttps://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h265-g7rm-h337"], "statement": "MODERATE: This flaw allows an authenticated organization member to bypass collection permissions and enumerate all ciphers within a Vaultwarden organization. This could lead to unauthorized disclosure of sensitive information. Red Hat does not ship Vaultwarden as part of its products; however, customers deploying Vaultwarden in their environment may be affected.", "threat_severity": "Moderate"}