{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-27803", "tracking": { "current_release_date": "2026-03-23T10:26:57.073382Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-27803", "initial_release_date": "2026-03-04T20:39:47.730848Z", "revision_history": [ { "date": "2026-03-04T20:39:47.730848Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-04T20:39:50.425055Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-04T22:25:50.270254Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (1).| CWES updated (1)." }, { "date": "2026-03-04T22:25:54.055935Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-04T22:39:56.637832Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (1).| CWES updated (1)." }, { "date": "2026-03-04T22:40:06.115851Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-05T11:06:16.254935Z", "number": "7", "summary": "Source connected.| CVE status created. (valid)| Products connected (2).| References created (6)." }, { "date": "2026-03-05T11:06:17.764389Z", "number": "8", "summary": "NCSC Score updated." }, { "date": "2026-03-05T12:30:36.926407Z", "number": "9", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1).| Vendor_assessment created." }, { "date": "2026-03-05T12:30:38.413557Z", "number": "10", "summary": "NCSC Score updated." }, { "date": "2026-03-05T14:14:09.030356Z", "number": "11", "summary": "Source created.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-05T14:14:15.149106Z", "number": "12", "summary": "NCSC Score updated." }, { "date": "2026-03-05T16:39:45.883475Z", "number": "13", "summary": "Unknown change." }, { "date": "2026-03-06T20:26:30.770590Z", "number": "14", "summary": "Products connected (1).| Product Identifiers created (1)." }, { "date": "2026-03-06T20:26:35.593283Z", "number": "15", "summary": "NCSC Score updated." }, { "date": "2026-03-20T09:39:45.210613Z", "number": "16", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-20T09:39:48.606180Z", "number": "17", "summary": "NCSC Score updated." } ], "status": "interim", "version": "17" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<1.35.0", "product": { "name": "vers:unknown/<1.35.0", "product_id": "CSAFPID-5761788" } }, { "category": "product_version_range", "name": "vers:unknown/<1.35.4", "product": { "name": "vers:unknown/<1.35.4", "product_id": "CSAFPID-5761789" } } ], "category": "product_name", "name": "Vaultwarden" } ], "category": "vendor", "name": "Open Source" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<1.35.4", "product": { "name": "vers:unknown/<1.35.4", "product_id": "CSAFPID-5759412", "product_identification_helper": { "cpe": "cpe:2.3:a:dani-garcia:vaultwarden:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "vaultwarden" } ], "category": "vendor", "name": "dani-garcia" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-27803", "cwe": { "id": "CWE-863", "name": "Incorrect Authorization" }, "notes": [ { "category": "description", "text": "## Summary\n\nTesting confirmed that even when a Manager has `manage=false` for a given collection, they can still perform the following management operations as long as they have access to the collection:\n\n* `PUT /api/organizations//collections/` succeeds (HTTP 200)\n* `PUT /api/organizations//collections//users` succeeds (HTTP 200)\n* `DELETE /api/organizations//collections/` succeeds (HTTP 200)\n\n\n\n## Description\n\n* The Manager guard checks only whether the user **can access the collection**, not whether they have `manage` privileges. This check is directly applied to management endpoints.\nsrc/auth.rs:816\n ```rust\n\n if !Collection::can_access_collection(&headers.membership, &col_id, &conn).await {\n err_handler!(\"The current user isn't a manager for this collection\")\n }\n ```\n\n* The `can_access_collection` function does **not** evaluate the `manage` flag.\n src/db/models/collection.rs:140\n\n ```rust\n\n pub async fn can_access_collection(member: &Membership, col_id: &CollectionId, conn: &DbConn) -> bool {\n member.has_status(MembershipStatus::Confirmed)\n && (member.has_full_access()\n || CollectionUser::has_access_to_collection_by_user(col_id, &member.user_uuid, conn).await\n || ...\n ```\n\n* A separate management-permission check exists and includes `manage` validation, but it is **not used** during authorization for the affected endpoints.\n src/db/models/collection.rs:516\n\n ```rust\n\n pub async fn is_manageable_by_user(&self, user_uuid: &UserId, conn: &DbConn) -> bool {\n let Some(member) = Membership::find_confirmed_by_user_and_org(user_uuid, &self.org_uuid, conn).await else {\n return false;\n };\n if member.has_full_access() {\n return true;\n }\n ...\n ```\n\n* The actual update and deletion endpoints only accept `ManagerHeaders` and do not perform additional `manage` checks.\n src/api/core/organizations.rs:608\n\n```rust\n async fn put_organization_collection_update(..., headers: ManagerHeaders, ...)\n```\n\n src/api/core/organizations.rs:890\n\n```rust\n async fn put_collection_users(..., headers: ManagerHeaders, ...)\n```\n \n\nsrc/api/core/organizations.rs:747\n\n```rust\n async fn delete_organization_collection(..., headers: ManagerHeaders, ...)\n ```\n\n\n\n## Preconditions\n\n* The attacker is a **Manager** within the target organization.\n* The attacker has access to the target collection (`assigned=true`).\n* The attacker’s permission for that collection is `manage=false`.\n* A valid API access token has been obtained.\n\n\n\n## Steps to Reproduce\n\n1. Confirm that the attacker’s current permissions for the target collection include `manage=false`.\n\"image\"\n\n2. As a control test, verify that update operations fail for collections the attacker cannot access.\n\"image\"\n\n3. Confirm that update operations succeed for the target collection where `manage=false`.\n\"image\"\n\n4. Use `PUT /collections/{col_id}/users` to set `manage=true`, confirming that the attacker can escalate their own privileges.\n\"image\"\n\n5. Verify that deletion of the collection succeeds despite the Manager lacking management rights.\n\"image\"\n\n\n\n## Required Minimum Privileges\n\n* Organization Manager role (Owner/Admin privileges are not required)\n* Works even with `access_all=false`\n* Only access rights to the target collection are required (`manage` privilege is not required)\n\n\n\n## Attack Scenario\n\nA restricted Manager (intended for read/use-only access) directly invokes the API to update collection settings, elevate their own privileges to `manage=true`, and even delete the collection.\n\nThis allows the user to bypass operational access restrictions and effectively gain administrator-equivalent control over the collection.\n\n\n\n## Potential Impact\n\n* **Confidentiality:** Expansion of access scope through unauthorized privilege escalation and configuration changes.\n* **Integrity:** Unauthorized modification of collection settings and assignments; potential disabling of access controls.\n* **Availability:** Deletion of collections may disrupt business operations.", "title": "github - https://github.com/advisories/GHSA-h4hq-rgvh-wh27" }, { "category": "description", "text": "Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, when a Manager has manage=false for a given collection, they can still perform several management operations as long as they have access to the collection. This issue has been patched in version 1.35.4.", "title": "nvd - https://nvd.nist.gov/vuln/detail/CVE-2026-27803" }, { "category": "description", "text": "Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, when a Manager has manage=false for a given collection, they can still perform several management operations as long as they have access to the collection. This issue has been patched in version 1.35.4.", "title": "cveprojectv5 - https://www.cve.org/CVERecord?id=CVE-2026-27803" }, { "category": "description", "text": "No description is available for this CVE.\nThis IMPORTANT access control bypass in Vaultwarden allows a Manager with manage=false to perform unauthorized management operations on accessible collections. Exploitation requires network access and a Manager account (PR:L). Impact includes high confidentiality loss (unauthorized data access), high integrity loss (unauthorized modifications), and low availability impact (potential limited disruption). Affects versions prior to 1.35.4. Red Hat does not ship Vaultwarden.", "title": "redhat - https://access.redhat.com/security/cve/CVE-2026-27803" }, { "category": "other", "text": "0.00045", "title": "EPSS" }, { "category": "other", "text": "4.8", "title": "NCSC Score" }, { "category": "other", "text": "There is product data available from source Certbundde, Is related to CWE-863 (Incorrect Authorization), There is product data available from source Nvd", "title": "NCSC Score top increasing factors" }, { "category": "other", "text": "The CVSS vector string contains A:H (Availability Impact: High), There is cwe data available from source Github, Is related to (a version of) an uncommon product, Is related to a product by vendor Open Source", "title": "NCSC Score top decreasing factors" }, { "category": "details", "text": "Severity: 3\n", "title": "Vendor assessment" } ], "product_status": { "known_affected": [ "CSAFPID-5759412", "CSAFPID-5761788", "CSAFPID-5761789" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://github.com/advisories/GHSA-h4hq-rgvh-wh27" }, { "category": "external", "summary": "Source raw - github", "url": "https://api.github.com/advisories/GHSA-h4hq-rgvh-wh27" }, { "category": "external", "summary": "Source - nvd", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27803" }, { "category": "external", "summary": "Source raw - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-27803" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://www.cve.org/CVERecord?id=CVE-2026-27803" }, { "category": "external", "summary": "Source raw - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/27xxx/CVE-2026-27803.json" }, { "category": "external", "summary": "Source - certbundde", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0594.json" }, { "category": "external", "summary": "Source - redhat", "url": "https://access.redhat.com/security/cve/CVE-2026-27803" }, { "category": "external", "summary": "Source raw - redhat", "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27803.json" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27803" }, { "category": "external", "summary": "Source raw - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; redhat", "url": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h4hq-rgvh-wh27" }, { "category": "external", "summary": "Reference - certbundde; github", "url": "https://github.com/advisories/GHSA-h4hq-rgvh-wh27" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0594.json" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0594" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://github.com/advisories/GHSA-r32r-j5jq-3w4m" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://github.com/advisories/GHSA-v6pg-v89r-w8wr" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://github.com/advisories/GHSA-w9f8-m526-h7fh" }, { "category": "external", "summary": "Reference - redhat", "url": "https://www.cve.org/CVERecord?id=CVE-2026-27803" }, { "category": "external", "summary": "Reference - redhat", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27803" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "baseScore": 8.3, "baseSeverity": "HIGH" }, "products": [ "CSAFPID-5759412", "CSAFPID-5761788", "CSAFPID-5761789" ] } ], "title": "CVE-2026-27803" } ] }