CVE-2026-27802:

Privilege escalation vulnerability in Vaultwarden server allows unauthorized collection access by managers.

Score
A numerical rating that indicates how dangerous this vulnerability is.

8.3High

Published Date:Mar 4, 2026
CISA KEV Date:*No Data*
Industries Affected:20

Exploitability

Score:2.8
Attack Vector:NETWORK
Attack Complexity:LOW
Privileges Required:LOW
User Interaction:NONE
Scope:UNCHANGED

Impact

Score:5.5
Confidentiality Impact:HIGH
Integrity Impact:HIGH
Availability Impact:LOW

Description Preview

Privilege escalation vulnerability in Vaultwarden server allows unauthorized collection access by managers.

Overview

Vaultwarden, formerly known as bitwarden_rs, is a popular alternative server implementation for Bitwarden password management systems. The vulnerability (CVE-2026-27802) enables privilege escalation through improper access control during bulk permission updates. With a CVSS v3.1 base score of 8.3 (High severity), this flaw poses significant risks to affected systems. The vulnerability requires low attack complexity and can be exploited remotely with low privileges and without user interaction. It primarily impacts confidentiality and integrity, with a lesser effect on availability.

Remediation

To address this vulnerability, users of Vaultwarden should immediately upgrade to version 1.35.4 or later. System administrators should review access logs for any suspicious activity related to collection permissions. It is also recommended to conduct a thorough audit of existing permissions and implement the principle of least privilege across all user roles. Regular security assessments and prompt application of security updates are crucial for maintaining the overall security posture of Vaultwarden installations.