CVE-2026-26012

MEDIUM

vaultwarden < 1.35.3 - Incorrect Authorization via Organization Ciphers Endpoint

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-26012. PoCs published by XiaomingX, Dulieno, diegobaelen.

AI-analyzed exploit summary This repository contains a functional SQL injection exploit for WordPress Quiz Maker (CVE-2025-10042), demonstrating time-based blind SQLi via crafted HTTP headers. The PoC includes automated data extraction for admin credentials and hashes.

Description

vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to 1.35.3, a regular organization member can retrieve all ciphers within an organization, regardless of collection permissions. The endpoint /ciphers/organization-details is accessible to any organization member and internally uses Cipher::find_by_org to retrieve all ciphers. These ciphers are returned with CipherSyncType::Organization without enforcing collection-level access control. This vulnerability is fixed in 1.35.3.

Exploits (3)

github WORKING POC 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-26012

This repository contains a functional SQL injection exploit for WordPress Quiz Maker (CVE-2025-10042), demonstrating time-based blind SQLi via crafted HTTP headers. The PoC includes automated data extraction for admin credentials and hashes.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: WordPress Quiz Maker <= 6.7.0.56
No auth needed
Prerequisites: target WordPress URL · path to quiz page · vulnerable header (default: X-Forwarded-For)
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Dulieno · poc
https://github.com/Dulieno/CVE-2026-26012

This repository contains a functional proof-of-concept exploit for CVE-2026-26012, a broken access control vulnerability in Vaultwarden (<= 1.35.2). The exploit demonstrates how any organization member can retrieve and decrypt all ciphers within the organization, regardless of collection-level permissions, by leveraging the vulnerable `/api/ciphers/organization-details` endpoint.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Vaultwarden <= 1.35.2
Auth required
Prerequisites: Valid organization member credentials · Access to the Vaultwarden API
devstral-2 · analyzed Feb 18, 2026 Full analysis →
github WORKING POC
by diegobaelen · pythonpoc
https://github.com/diegobaelen/CVE-2026-26012

This repository contains a functional Python script that exploits CVE-2026-26012, an authenticated permissions bypass vulnerability in Vaultwarden. The script interacts with the Vaultwarden API to export organization details and compare collection permissions, demonstrating the vulnerability.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Vaultwarden
Auth required
Prerequisites: Valid authentication token · Organization ID
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 6.5
EPSS 0.0033
EPSS Percentile 24.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-863
Status published
Products (1)
dani-garcia/vaultwarden < 1.35.3
Published Feb 11, 2026
Tracked Since Feb 18, 2026