wid-sec-w-2026-0594 · Published 2026-03-04 · View on BSI CERT-Bund ↗

Vaultwarden: Multiple Vulnerabilities

CVSS 8.3 HIGH

Risk Summary

Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, when a Manager has manage=false for a given collection, they can still perform several management operations as long as they have access to the collection. This issue has been patched in version 1.35.4.

CVEs (4)

CVE-2026-27801 CVE-2026-27802 CVE-2026-27803 CVE-2026-27898

Affected Vendors

Open Source

Affected Products (4)

Open Source · Vaultwarden <1.35.4

Open Source · Vaultwarden 1.35.4

Open Source · Vaultwarden <1.35.0

Open Source · Vaultwarden 1.35.0

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more