CVE-2026-26012

MEDIUM

Dani-garcia Vaultwarden < 1.35.3 - Incorrect Authorization

Title source: rule

Description

vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to 1.35.3, a regular organization member can retrieve all ciphers within an organization, regardless of collection permissions. The endpoint /ciphers/organization-details is accessible to any organization member and internally uses Cipher::find_by_org to retrieve all ciphers. These ciphers are returned with CipherSyncType::Organization without enforcing collection-level access control. This vulnerability is fixed in 1.35.3.

Exploits (3)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-26012

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by Dulieno · poc

https://github.com/Dulieno/CVE-2026-26012

View Code ZIP pw:eip

github WORKING POC

by diegobaelen · pythonpoc

https://github.com/diegobaelen/CVE-2026-26012

View Code ZIP pw:eip

References (2)

[Product, Release Notes] https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.3

[Vendor Advisory] https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h265-g7rm-h337

Scores

CVSS v3 6.5

EPSS 0.0001

EPSS Percentile 2.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-863

Status published

Products (1)

dani-garcia/vaultwarden < 1.35.3

Published Feb 11, 2026

Tracked Since Feb 18, 2026