2 matches found
GHSA-W9F8-M526-H7FH Vaultwarden has Unauthorized Access via Partial Update API on Another User’s Cipher
Summary In the test environment, it was confirmed that an authenticated regular user can specify another user’s cipherid and call: PUT /api/ciphers/id/partial Even though the standard retrieval API correctly denies access to that cipher, the partial update endpoint returns 200 OK and exposes...
Vaultwarden -- Multiple vulnerabilities
The Vaultwarden project reports: GHSA-w9f8-m526-h7fh. This vulnerability would allow an attacker to access a cipher from a different user fully encrypted if they already know its internal UUID. GHSA-h4hq-rgvh-wh27. This vulnerability allows an attacker with manager-level access within an...