CVE-2026-33420

A flaw was found in Vaultwarden. A Manager-role user with limited access permissions can exploit a missing authorization check in the getorgcollectionsdetails endpoint. This vulnerability allows the user to retrieve sensitive information, including names, UUIDs, and user and group mappings for al...

CVE-2026-33420 Vaultwarden missing authorization check allows Manager-role users to enumerate all collections

Vaultwarden is a Bitwarden-compatible server written in Rust. In version 1.35.4 and earlier, the getorgcollectionsdetails endpoint GET /api/organizations/orgid/collections/details is missing the hasfullaccess authorization check that exists on the sibling getorgcollections endpoint. This allows a...

CVE-2026-33420

Vaultwarden (Rust) versions 1.35.4 and earlier are affected by a missing has_full_access() authorization check on GET /api/organizations/{org_id}/collections/details, allowing any Manager-role user with accessAll=False and no collection assignments to enumerate all collections’ names, UUIDs, user...

Vaultwarden 安全漏洞

Vaultwarden is an alternative implementation of the Bitwarden server API, developed by Daniel García. Versions of Vaultwarden 1.35.4 and earlier contained a security vulnerability. This vulnerability stemmed from the lack of a hasfullaccess authorization check in the getorgcollectionsdetails...

PT-2026-37220

Vaultwarden is a Bitwarden-compatible server written in Rust. In version 1.35.4 and earlier, the get org collections details endpoint GET /api/organizations/org id/collections/details is missing the has full access authorization check that exists on the sibling get org collections endpoint. This...