Description
vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Attacker can obtain owner rights of other organization. Hacker should know the ID of victim organization (in real case the user can be a part of the organization as an unprivileged user) and be the owner/admin of other organization (by default you can create your own organization) in order to attack. This vulnerability is fixed in 1.33.0.
References (2)
Core 2
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-j4h8-vch3-f797
Release Notes x_refsource_misc
https://github.com/dani-garcia/vaultwarden/releases/tag/1.33.0
Scores
CVSS v3
8.1
EPSS
0.0065
EPSS Percentile
46.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-284
Status
published
Products (1)
dani-garcia/vaultwarden
< 1.33.0
Published
Jan 27, 2025
Tracked Since
Feb 18, 2026