Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-27803

Vaultwarden's Collection Management Operations Allowed Without `manage` Verification for Manager Role
Back to all
CVE

CVE-2026-27803

Vaultwarden's Collection Management Operations Allowed Without `manage` Verification for Manager Role

Summary

Testing confirmed that even when a Manager has manage=false for a given collection, they can still perform the following management operations as long as they have access to the collection:

  • PUT /api/organizations/<orgid>/collections/<colid> succeeds (HTTP 200)
  • PUT /api/organizations/<orgid>/collections/<colid>/users succeeds (HTTP 200)
  • DELETE /api/organizations/<orgid>/collections/<colid> succeeds (HTTP 200)

Description

  • The Manager guard checks only whether the user can access the collection, not whether they have manage privileges. This check is directly applied to management endpoints.

src/auth.rs:816

  ```rust

  if !Collection::canaccesscollection(&headers.membership, &col_id, &conn).await {

      err_handler!("The current user isn't a manager for this collection")

  }

  ```

  • The canaccesscollection function does not evaluate the manage flag.

  src/db/models/collection.rs:140

  ```rust

  pub async fn canaccesscollection(member: &Membership, col_id: &CollectionId, conn: &DbConn) -> bool {

      member.has_status(MembershipStatus::Confirmed)

          && (member.hasfullaccess()

              || CollectionUser::hasaccesstocollectionbyuser(colid, &member.user_uuid, conn).await

              || ...

  ```

  • A separate management-permission check exists and includes manage validation, but it is not used during authorization for the affected endpoints.

  src/db/models/collection.rs:516

  ```rust

  pub async fn ismanageablebyuser(&self, useruuid: &UserId, conn: &DbConn) -> bool {

      let Some(member) = Membership::findconfirmedbyuserandorg(useruuid, &self.org_uuid, conn).await else {

          return false;

      };

      if member.hasfullaccess() {

          return true;

      }

      ...

  ```

  • The actual update and deletion endpoints only accept ManagerHeaders and do not perform additional manage checks.

  src/api/core/organizations.rs:608

  async fn put_organization_collection_update(..., headers: ManagerHeaders, ...)

  src/api/core/organizations.rs:890

  async fn put_collection_users(..., headers: ManagerHeaders, ...)

  

src/api/core/organizations.rs:747

```rust

  async fn deleteorganizationcollection(..., headers: ManagerHeaders, ...)

  ```

Preconditions

  • The attacker is a Manager within the target organization.
  • The attacker has access to the target collection (assigned=true).
  • The attacker’s permission for that collection is manage=false.
  • A valid API access token has been obtained.

Steps to Reproduce

  1. Confirm that the attacker’s current permissions for the target collection include manage=false.

<img width="2015" height="636" alt="image" src="https://github.com/user-attachments/assets/58ddc733-e37c-4766-a980-b1ea1918ceb4" />

  1. As a control test, verify that update operations fail for collections the attacker cannot access.

<img width="2021" height="852" alt="image" src="https://github.com/user-attachments/assets/d8699442-2dfc-4d73-8940-ec10f4a175f0" />

  1. Confirm that update operations succeed for the target collection where manage=false.

<img width="2013" height="690" alt="image" src="https://github.com/user-attachments/assets/33d9845d-d18e-456c-a58c-e780911347a9" />

  1. Use PUT /collections/{col_id}/users to set manage=true, confirming that the attacker can escalate their own privileges.

<img width="2018" height="488" alt="image" src="https://github.com/user-attachments/assets/da8c5246-cf2a-46c2-9a25-e99d907f852d" />

  1. Verify that deletion of the collection succeeds despite the Manager lacking management rights.

<img width="2018" height="487" alt="image" src="https://github.com/user-attachments/assets/a97c8fb2-4f97-4c2a-a90b-9d95dbde84fd" />

Required Minimum Privileges

  • Organization Manager role (Owner/Admin privileges are not required)
  • Works even with access_all=false
  • Only access rights to the target collection are required (manage privilege is not required)

Attack Scenario

A restricted Manager (intended for read/use-only access) directly invokes the API to update collection settings, elevate their own privileges to manage=true, and even delete the collection.

This allows the user to bypass operational access restrictions and effectively gain administrator-equivalent control over the collection.

Potential Impact

  • Confidentiality: Expansion of access scope through unauthorized privilege escalation and configuration changes.
  • Integrity: Unauthorized modification of collection settings and assignments; potential disabling of access controls.
  • Availability: Deletion of collections may disrupt business operations.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.3
-
3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
C
H
U
-

Related Resources

No items found.

References

https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h4hq-rgvh-wh27, https://github.com/dani-garcia/vaultwarden

Severity

8.3

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
8.3
EPSS Probability
0.0006%
EPSS Percentile
0.18671%
Introduced Version
0
Fix Available
1.35.4

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading