EUVD-2026-29340

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden does not enforce that a groupsusers.usersorganizationsuuid entry belongs to the same organization as groups.groupsuuid, or a collectionsgroups.collectionsuuid entry belongs to the same organization as...

CVE-2026-43638

Bitwarden Server prior to v2026.4.1 contains a missing authorization vulnerability that allows any authenticated user to write ciphers into an arbitrary organization via POST /ciphers/import-organization by submitting an empty collections array, which causes the server-side permission check to be...

CVE-2026-43638 Bitwarden Server < 2026.4.1 Missing Authorization via Organization Cipher Import

Bitwarden Server prior to v2026.4.1 contains a missing authorization vulnerability that allows any authenticated user to write ciphers into an arbitrary organization via POST /ciphers/import-organization by submitting an empty collections array, which causes the server-side permission check to be...

CVE-2026-43638

Bitwarden Server before 2026.4.1 contains a missing authorization vulnerability that lets any authenticated user write ciphers into an arbitrary organization via POST /ciphers/import-organization by submitting an empty collections array, bypassing the server-side permission check. Affected produc...

CVE-2026-43638 Bitwarden Server < 2026.4.1 Missing Authorization via Organization Cipher Import

Bitwarden Server prior to v2026.4.1 contains a missing authorization vulnerability that allows any authenticated user to write ciphers into an arbitrary organization via POST /ciphers/import-organization by submitting an empty collections array, which causes the server-side permission check to be...

bitwarden 安全漏洞

Bitwarden is an open-source password management backend service developed by Bitwarden. Versions of Bitwarden prior to 2026.4.1 contained security vulnerabilities. These vulnerabilities stemmed from the lack of authorization checks, allowing any authenticated user to write passwords to any...

Velociraptor vulnerability in the query() plugin which allows access to all orgs with the user's current ACL token

Velociraptor versions prior to 0.76.3 contain a vulnerability in the query plugin which allows access to all orgs with the user's current ACL token. This allows an authenticated GUI user with access in one org, to use the query plugin, in a notebook cell, to run VQL queries on other orgs which th...

GHSA-CWC3-P92J-G7QM Flowise has IDOR leading to Account Takeover and Enterprise Feature Bypass via SSO Configuration

Summary The Flowise platform has a critical Insecure Direct Object Reference IDOR vulnerability combined with a Business Logic Flaw in the PUT /api/v1/loginmethod endpoint. While the endpoint requires authentication, it fails to validate if the authenticated user has ownership or administrative...

PT-2026-23789

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.0.13 Description Flowise is a drag & drop user interface to build customized large language model flows. A critical Insecure Direct Object Reference IDOR vulnerability, combined with a Business Logic Flaw, exists in...

CVE-2026-26012

vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwardenrs. Prior to 1.35.3, a regular organization member can retrieve all ciphers within an organization, regardless of collection permissions. The endpoint /ciphers/organization-details is accessible t...

PT-2026-7721

Name of the Vulnerable Software and Affected Versions vaultwarden versions prior to 1.35.3 Description vaultwarden, an unofficial Bitwarden compatible server written in Rust, previously known as bitwarden rs, had a flaw where a standard organization member could access all ciphers within an...

CVE-2025-64400

Control Panel provides an API for pre-registering into an enrollment and organization prior to a user's first login. The API for creating users checks that the account requesting a user creation has edit on the enrollment-level user directory, but is missing a separate check that the enrollment...

CVE-2025-64400

The CVE-2025-64400 case concerns Palantir’s Control Panel, where the API for pre-registering users into an enrollment and organization before first login contains insufficient permission checks. Specifically, the user-creation function verifies that the requester has edit rights on the enrollment...

CVE-2025-64400 Insufficient permission checks when pre-enrolling users Summary

Control Panel provides an API for pre-registering into an enrollment and organization prior to a user's first login. The API for creating users checks that the account requesting a user creation has edit on the enrollment-level user directory, but is missing a separate check that the enrollment...

CVE-2025-65780

CVE-2025-65780 affects Wekan up to version 18.15 (fixed in 18.16). The issue allows an authenticated user to modify their entire user document (including orgs/teams and loginDisabled) due to missing server-side authorization checks, enabling privilege escalation and unauthorized access to other t...

EUVD-2024-47026

Malicious code in bioql PyPI...

CVE-2023-3426

The organization selector in Liferay Portal 7.4.3.81 through 7.4.3.85, and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations...

CVE-2023-22738

vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Assigning existing users to a different organizations is currently possible. It may lead to unintended access: if a user from organization A is accidentally assigned to organization B, they will retain...

CVE-2024-45323

An improper access control vulnerability CWE-284 in FortiEDR Manager API 6.2.0 through 6.2.2, 6.0 all versions may allow in a shared environment context an authenticated admin with REST API permissions in his profile and restricted to a specific organization to access backend logs that include...

CVE-2024-45323

An improper access control vulnerability CWE-284 in FortiEDR Manager API 6.2.0 through 6.2.2, 6.0 all versions may allow in a shared environment context an authenticated admin with REST API permissions in his profile and restricted to a specific organization to access backend logs that include...